f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Size

272KB
MD5

8a0dd35e956381e5549ddfae9ab13960
SHA1

1665be89594880d1bd88f952d1d2ea7a62107125
SHA256

f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8
SHA512

5ec852575c78c05f05a5bbd0da0518411a636f5adf69532ec8c1a09fd8db647e96a3e537dc20917c880d10a64e93f036702975b359a32bb159b26294d11f33ff
SSDEEP

3072:YMBGBT753Q+RgWgMlIx1ZiXjb6aEF6D0NM9voeLNZ2j8Ci2:dw753RgWg4aAXjb6aEFfooeLNZxC

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 32 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe

Modifies visibility of file extensions in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe

Disables RegEdit via registry modification 16 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 16 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
1948	Tiwi.exe
2504	IExplorer.exe
2964	Shell.exe
2324	Shell.exe
2184	Shell.exe
2176	Tiwi.exe
2116	IExplorer.exe
1808	winlogon.exe
1972	imoet.exe
1596	cute.exe
688	winlogon.exe
1520	imoet.exe
2392	cute.exe
1968	Shell.exe
876	Shell.exe
2792	Tiwi.exe
2896	Tiwi.exe
1804	IExplorer.exe
2900	IExplorer.exe
2596	winlogon.exe
2592	winlogon.exe
1920	imoet.exe
2416	imoet.exe
2688	cute.exe
1476	cute.exe
2060	Shell.exe
1976	Shell.exe
2952	Shell.exe
2324	Tiwi.exe
2104	IExplorer.exe
492	winlogon.exe
680	imoet.exe
1148	cute.exe
3036	Shell.exe
3056	Shell.exe
2412	Tiwi.exe
2460	IExplorer.exe
2580	winlogon.exe
2456	imoet.exe
1448	cute.exe
2928	Tiwi.exe
1340	IExplorer.exe
2956	Tiwi.exe
1928	winlogon.exe
1948	IExplorer.exe
1232	imoet.exe
1960	winlogon.exe
2392	cute.exe
2804	imoet.exe
1636	cute.exe
1692	Shell.exe
1556	Tiwi.exe
2796	IExplorer.exe
3004	winlogon.exe
2632	imoet.exe
2676	Tiwi.exe
2628	cute.exe
2596	IExplorer.exe
2640	winlogon.exe
2012	imoet.exe
2472	cute.exe
2880	Shell.exe
2324	Shell.exe
1428	Tiwi.exe

Loads dropped DLL 64 IoCs

pid	Process
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
532	WerFault.exe
532	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
3044	WerFault.exe
1808	winlogon.exe
1808	winlogon.exe
1596	cute.exe
1596	cute.exe
1808	winlogon.exe
1596	cute.exe
1596	cute.exe
1596	cute.exe
1596	cute.exe
1808	winlogon.exe
1808	winlogon.exe
1808	winlogon.exe
1596	cute.exe
1808	winlogon.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
532	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
2792	Tiwi.exe
2792	Tiwi.exe
2792	Tiwi.exe
2792	Tiwi.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x0034000000018654-7.dat	upx
behavioral1/memory/1948-100-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x00070000000175c6-97.dat	upx
behavioral1/files/0x0005000000019515-103.dat	upx
behavioral1/memory/2504-110-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x0034000000018654-115.dat	upx
behavioral1/memory/2964-118-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x000500000001957c-122.dat	upx
behavioral1/files/0x000500000001961b-123.dat	upx
behavioral1/files/0x0005000000019589-124.dat	upx
behavioral1/memory/2324-130-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2184-139-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2132-141-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1948-143-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2504-145-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2964-146-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x00070000000175cc-148.dat	upx
behavioral1/memory/2176-187-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x000500000001957c-196.dat	upx
behavioral1/memory/2116-204-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2132-198-0x00000000026B0000-0x00000000026F4000-memory.dmp	upx
behavioral1/files/0x0005000000019589-207.dat	upx
behavioral1/memory/2132-209-0x00000000026B0000-0x00000000026F4000-memory.dmp	upx
behavioral1/files/0x000500000001961b-217.dat	upx
behavioral1/memory/688-263-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1520-272-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2132-277-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2392-276-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1596-278-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2132-282-0x00000000026B0000-0x00000000026F4000-memory.dmp	upx
behavioral1/memory/1968-285-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/876-295-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x00070000000175cc-300.dat	upx
behavioral1/files/0x00070000000175c6-319.dat	upx
behavioral1/memory/1808-321-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2792-322-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x00070000000175cc-326.dat	upx
behavioral1/memory/2896-335-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1972-338-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1596-339-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1808-340-0x0000000002760000-0x00000000027A4000-memory.dmp	upx
behavioral1/memory/2896-347-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2900-352-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2596-357-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2592-358-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2792-351-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2592-359-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2596-360-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1804-348-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1596-362-0x0000000002680000-0x00000000026C4000-memory.dmp	upx
behavioral1/memory/2416-368-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1920-367-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2688-372-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1476-376-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2060-379-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1976-382-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2952-383-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2952-386-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2104-401-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1596-399-0x0000000002680000-0x00000000026C4000-memory.dmp	upx
behavioral1/memory/2324-397-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/2104-404-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/492-407-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\M:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\P:	Tiwi.exe
File opened (read-only)	\??\R:	Shell.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\G:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\H:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\P:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\Z:	Shell.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\J:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\E:	Shell.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\J:	Shell.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\Q:	Shell.exe
File opened (read-only)	\??\S:	Shell.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\N:	Shell.exe
File opened (read-only)	\??\W:	Shell.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\B:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened (read-only)	\??\I:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened (read-only)	\??\O:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\L:	Shell.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\Q:	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe

Modifies WinLogon 2 TTPs 48 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened for modification	F:\autorun.inf	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File created	C:\autorun.inf	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File opened for modification	C:\autorun.inf	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\tiwi.scr	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\tiwi.exe	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\tiwi.exe	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\tiwi.exe	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
532	2504	WerFault.exe	31
2956	1948	WerFault.exe	30
3044	2964	WerFault.exe	33
1784	1972	WerFault.exe	40
1488	2060	WerFault.exe	58
1036	2456	WerFault.exe	73
2876	2796	WerFault.exe	88
2636	2412	WerFault.exe	107
2748	2660	WerFault.exe	120
340	2012	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe

Modifies Control Panel 64 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Tiwi"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Tiwi"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s2359 = "Tiwi"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe

Modifies Internet Explorer start page 1 TTPs 16 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2792	Tiwi.exe
1692	Shell.exe
1808	winlogon.exe
1596	cute.exe
1996	IExplorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
1948	Tiwi.exe
2504	IExplorer.exe
2964	Shell.exe
2324	Shell.exe
2184	Shell.exe
2176	Tiwi.exe
2116	IExplorer.exe
1808	winlogon.exe
1972	imoet.exe
1596	cute.exe
688	winlogon.exe
1520	imoet.exe
2392	cute.exe
1968	Shell.exe
876	Shell.exe
2792	Tiwi.exe
2896	Tiwi.exe
2900	IExplorer.exe
1804	IExplorer.exe
2596	winlogon.exe
2592	winlogon.exe
1920	imoet.exe
2416	imoet.exe
2688	cute.exe
1476	cute.exe
2060	Shell.exe
1976	Shell.exe
2952	Shell.exe
2324	Tiwi.exe
2104	IExplorer.exe
492	winlogon.exe
680	imoet.exe
1148	cute.exe
3036	Shell.exe
3056	Shell.exe
2412	Tiwi.exe
2460	IExplorer.exe
2580	winlogon.exe
2456	imoet.exe
1448	cute.exe
2928	Tiwi.exe
1340	IExplorer.exe
1928	winlogon.exe
2956	Tiwi.exe
1948	IExplorer.exe
1232	imoet.exe
1960	winlogon.exe
2392	cute.exe
2804	imoet.exe
1636	cute.exe
1692	Shell.exe
1556	Tiwi.exe
2796	IExplorer.exe
3004	winlogon.exe
2632	imoet.exe
2676	Tiwi.exe
2596	IExplorer.exe
2628	cute.exe
2640	winlogon.exe
2012	imoet.exe
2472	cute.exe
2880	Shell.exe
2324	Shell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1948	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	30
PID 2132 wrote to memory of 1948	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	30
PID 2132 wrote to memory of 1948	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	30
PID 2132 wrote to memory of 1948	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	30
PID 2132 wrote to memory of 2504	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	31
PID 2132 wrote to memory of 2504	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	31
PID 2132 wrote to memory of 2504	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	31
PID 2132 wrote to memory of 2504	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	31
PID 2504 wrote to memory of 532	2504	IExplorer.exe	32
PID 2504 wrote to memory of 532	2504	IExplorer.exe	32
PID 2504 wrote to memory of 532	2504	IExplorer.exe	32
PID 2504 wrote to memory of 532	2504	IExplorer.exe	32
PID 1948 wrote to memory of 2956	1948	Tiwi.exe	34
PID 1948 wrote to memory of 2956	1948	Tiwi.exe	34
PID 1948 wrote to memory of 2956	1948	Tiwi.exe	34
PID 1948 wrote to memory of 2956	1948	Tiwi.exe	34
PID 2132 wrote to memory of 2176	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	37
PID 2132 wrote to memory of 2176	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	37
PID 2132 wrote to memory of 2176	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	37
PID 2132 wrote to memory of 2176	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	37
PID 2132 wrote to memory of 2116	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	38
PID 2132 wrote to memory of 2116	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	38
PID 2132 wrote to memory of 2116	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	38
PID 2132 wrote to memory of 2116	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	38
PID 2132 wrote to memory of 1808	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	39
PID 2132 wrote to memory of 1808	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	39
PID 2132 wrote to memory of 1808	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	39
PID 2132 wrote to memory of 1808	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	39
PID 2132 wrote to memory of 1972	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	40
PID 2132 wrote to memory of 1972	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	40
PID 2132 wrote to memory of 1972	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	40
PID 2132 wrote to memory of 1972	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	40
PID 2132 wrote to memory of 1596	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	41
PID 2132 wrote to memory of 1596	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	41
PID 2132 wrote to memory of 1596	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	41
PID 2132 wrote to memory of 1596	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	41
PID 2132 wrote to memory of 688	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	42
PID 2132 wrote to memory of 688	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	42
PID 2132 wrote to memory of 688	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	42
PID 2132 wrote to memory of 688	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	42
PID 2132 wrote to memory of 1520	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	43
PID 2132 wrote to memory of 1520	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	43
PID 2132 wrote to memory of 1520	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	43
PID 2132 wrote to memory of 1520	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	43
PID 2132 wrote to memory of 2392	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	44
PID 2132 wrote to memory of 2392	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	44
PID 2132 wrote to memory of 2392	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	44
PID 2132 wrote to memory of 2392	2132	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe	44
PID 2964 wrote to memory of 3044	2964	Shell.exe	45
PID 2964 wrote to memory of 3044	2964	Shell.exe	45
PID 2964 wrote to memory of 3044	2964	Shell.exe	45
PID 2964 wrote to memory of 3044	2964	Shell.exe	45
PID 1808 wrote to memory of 2792	1808	winlogon.exe	48
PID 1808 wrote to memory of 2792	1808	winlogon.exe	48
PID 1808 wrote to memory of 2792	1808	winlogon.exe	48
PID 1808 wrote to memory of 2792	1808	winlogon.exe	48
PID 1596 wrote to memory of 2896	1596	cute.exe	49
PID 1596 wrote to memory of 2896	1596	cute.exe	49
PID 1596 wrote to memory of 2896	1596	cute.exe	49
PID 1596 wrote to memory of 2896	1596	cute.exe	49
PID 1808 wrote to memory of 1804	1808	winlogon.exe	50
PID 1808 wrote to memory of 1804	1808	winlogon.exe	50
PID 1808 wrote to memory of 1804	1808	winlogon.exe	50
PID 1808 wrote to memory of 1804	1808	winlogon.exe	50

System policy modification 1 TTPs 32 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe

C:\Users\Admin\AppData\Local\Temp\f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe
"C:\Users\Admin\AppData\Local\Temp\f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2132
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies WinLogon
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 388
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2956
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2324
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2184
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 376
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:532
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Executes dropped EXE
      Modifies system executable filetype association
      Adds Run key to start application
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 400
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3044
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:876
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Executes dropped EXE
      Modifies system executable filetype association
      Adds Run key to start application
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Control Panel
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 408
        5⤵
        Program crash
        
        PID:1488
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3036
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3056
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2116
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1808
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2792
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2324
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2104
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:492
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:680
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1148
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2928
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1340
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1928
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1232
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2392
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1948
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2408
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      PID:352
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      PID:2740
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Modifies system executable filetype association
      Adds Run key to start application
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Modifies registry class
      System policy modification
      PID:2660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 376
        5⤵
        Program crash
        
        PID:2748
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2532
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2732
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      PID:1432
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2432
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1680
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1804
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2416
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1476
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2412
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2460
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2580
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Modifies WinLogon
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 376
      4⤵
      Program crash
      PID:1036
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Disables RegEdit via registry modification
        Disables cmd.exe use via registry modification
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
      - C:\Windows\Tiwi.exe
        
        C:\Windows\Tiwi.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1556
      - C:\Windows\SysWOW64\IExplorer.exe
        
        C:\Windows\system32\IExplorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Disables RegEdit via registry modification
        Disables cmd.exe use via registry modification
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 368
        7⤵
        Program crash
        
        PID:2876
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
      - C:\Windows\Tiwi.exe
        
        C:\Windows\Tiwi.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1428
      - C:\Windows\SysWOW64\IExplorer.exe
        
        C:\Windows\system32\IExplorer.exe
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1380
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        6⤵
        
        PID:1972
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:748
      - C:\Windows\Tiwi.exe
        
        C:\Windows\Tiwi.exe
        6⤵
        
        PID:2160
      - C:\Windows\SysWOW64\IExplorer.exe
        
        C:\Windows\system32\IExplorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Disables RegEdit via registry modification
        Disables cmd.exe use via registry modification
        Modifies system executable filetype association
        Adds Run key to start application
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        System policy modification
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 376
        7⤵
        Program crash
        
        PID:2636
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Drops file in Windows directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1124
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
      - C:\Windows\Tiwi.exe
        
        C:\Windows\Tiwi.exe
        6⤵
        
        PID:2644
      - C:\Windows\SysWOW64\IExplorer.exe
        
        C:\Windows\system32\IExplorer.exe
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2816
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        6⤵
        
        PID:1836
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        6⤵
        
        PID:2720
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
      - C:\Windows\Tiwi.exe
        
        C:\Windows\Tiwi.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
      - C:\Windows\SysWOW64\IExplorer.exe
        
        C:\Windows\system32\IExplorer.exe
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:996
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        6⤵
        
        PID:1380
      - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1448
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - System policy modification
    PID:2012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 376
      4⤵
      Program crash
      PID:340
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1156
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Drops file in System32 directory
        
        PID:1624
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    PID:2472
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    PID:608
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    PID:2948
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:780
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    PID:924
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:684
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - System policy modification
    PID:1996
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1012
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2028
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1312
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1556
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    PID:2740
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    PID:2412
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies WinLogon
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1784
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1976
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:2952
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1596
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2900
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1920
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2688
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2956
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1948
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1960
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1636
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2640
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2012
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2472
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:688
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1520
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
eaad2722399087e0adf8a49874b11aec

SHA1
9477cf5225df4abd86b9997557f9bd20b48f1f2f

SHA256
7161b24420f1dd41bf88d786859cccd70297cf3330f127a7fe15a3f2bf3d2fae

SHA512
9c74932d2ac9924efee251ddfd0c161d31a9aca2f596bb6ed751317f30ead43b1e19c7b0bca163e1493806e3c1ea8decbdaf0229d04135957d1fc7246771d6be

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
272KB

MD5
eba923225e4c59751c72cd516aaa9aea

SHA1
12a1a89d33e443ace897b311e043184960e3cd11

SHA256
289f493ade42481c7c8c9150c815c168c10643a8636006d22eb9008af6205b4f

SHA512
6be96d5fc77bd39fa22f58931f3bcb2358a6d3ef999b698498fab69920466c5c26fde0a7e6ad283b1a01825f3160159e35f2ff11e1fe523808e91f08b7eb1c86

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
272KB

MD5
12a1b69bd80aab9f718060d897b2315b

SHA1
407eaa460da114f045c0536c37b1e383595d9121

SHA256
9970627351ce179c5123b0f6353e76ccb4d98c346b9fbebc4ba79136c23afd4d

SHA512
b6ad3fa7750f03172f86ad47de72bf42aa252e837561533b2538e76db381eda5670aea48f1f1f5585c6baf28ae9716d1cf04087b53f8f871af8b13656b5a74a4

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
0aadec345b7cbc86e9e3e072f27e70fe

SHA1
42b817c2fc67145360ba20089f721194522c7dee

SHA256
b8f136629c6aa42f9ca90b549932df60d520747e35b350855756f4b6cc95d629

SHA512
cbc04352e797a236c881e2f0595ecb56991f8aff6685e0eb7c872d108b35dddb65f6a2d701d5066a223c3cb847723771a89fcebc4969172c558db1c3a2ddef20

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
272KB

MD5
446167bf05d7d1d094f00d8cc013f07a

SHA1
f276caa74da4b74b5e08f938cbd1b325515718ed

SHA256
d592a03a4bee84ea41f629ed68327081005ba997460790a3b73e6b5d408fbefa

SHA512
a8451abe329073cac7c1fe0c7809ad36cf6fdd0fc4705475987bd9ca6338d62ef44d565fe69144613619f9a47be9f7e7434aee2edba067563ccfaeab7f29ce9d

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
272KB

MD5
8a0dd35e956381e5549ddfae9ab13960

SHA1
1665be89594880d1bd88f952d1d2ea7a62107125

SHA256
f0288bf4853d925b2d32556d1c443bf6f81516a611e5816ee351f7c8756034b8

SHA512
5ec852575c78c05f05a5bbd0da0518411a636f5adf69532ec8c1a09fd8db647e96a3e537dc20917c880d10a64e93f036702975b359a32bb159b26294d11f33ff

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\tiwi.exe

Filesize
272KB

MD5
daec2eaf9bb362fc916bcd91f4067fdd

SHA1
cf73ac24c739550905a3c2e3027134b0c2e539c2

SHA256
0eb1a3d517550002c7da9ac449ce53151da723570a05b0722d8b7cc448678de2

SHA512
f8872779c62364153fa12c9f0e1cd01e7639f2a13f2fdb539ddf43972c6bbd4740e5921546a0974aed31d243773c86037c99988fbb446972eaef68074b3b31a2

Download Submit
C:\Windows\tiwi.exe

Filesize
272KB

MD5
ca5e4c33216cad03b1f7a5b8b4eb7e26

SHA1
14bfa26145e3fe7097547c9096faa4365b0b586a

SHA256
492f6216e1fb8a98b5c333fe0abdf5a137db37c3734573a918dc97157af88936

SHA512
a3c20be6c58b2a698191e7f0655a8151ae145888d651a57d709e98999079579a0fd4b6b9b2b7a746fc4ae239c64e435e945d84a59240adcd6fc8e0bc8531407d

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
272KB

MD5
e119d21334d79cfd3efe9ede6b4a2e39

SHA1
e04d2ddfc591597dd78c3e374f612b23559fe136

SHA256
8fbbf3ec0f2259e51c0b9663b8624f7bf08d0d36dcfa9fb18b7b66a830290cb3

SHA512
6f8a90a5bc4ea34ab6b0e4de9bf4148ddbf03c71214752224ee9498a2b834068f9afdf49313f0e5a8739c3fe66391cecfc143ae880ae5ba1ac085cb54c376161

Download Submit
C:\tiwi.exe

Filesize
272KB

MD5
294ef7569f4ce7d2cfcaa657d351bf31

SHA1
d84ad692ae552595351f97fae82311fcf92fc7ef

SHA256
4e7d523700463ed622ee6a9649b86760f51de9b357994021877069cc42ca40a3

SHA512
99c741f13276ce4f1db8e6120fd2c1ee8e945b9049e5616d6d677aa6b6288b206a23e86435899259b685721a0e5a0f60245d7484fb83312ea0dffd91e737cf9c

Download Submit
C:\tiwi.exe

Filesize
272KB

MD5
0983361ab8ddcaa0b1d11b874f455a88

SHA1
f753e1f5344ae26dc56692631b973c06e05ae24f

SHA256
42a65343ec5c26450741de94b1e4cc779c6929cba83bd7aa20d5574db8957387

SHA512
7ff0604ed4cf156f8cea269062b1f949b397c53354d1dc1390849db961c89d9fa8d07d932d8bc347a4445ee3068dfde430cc6882b4828b9b98635ca4a185a138

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Users\Admin\AppData\Local\WINDOWS\cute.exe

Filesize
272KB

MD5
3ed73e83d59572e5a6fd4c063ed464aa

SHA1
da9098138fdb29e9d6dcd5819a33e77de0008ee9

SHA256
ca6ca42cd0acc1ee22e25d93af74485364fb48c73146bd74d38ec34d63af7395

SHA512
c81595a8a38d74032f4b87f472ca565fbec70eb61a5a7a3f744a9a4b6c3edd0f18664508a04fd85eb5d1806959349434eccc0a538993f08397e3577a81b7eaca

Download Submit
\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
272KB

MD5
3fcf0a35411112cba9e8639a11e2dd2a

SHA1
f2d042126fe8eca00391c42245a8872179a1ee2b

SHA256
b1018a1969484439cd20e5e5dbc332322a536b97e624e2d2e69ffacf67e7970e

SHA512
3b08b902aba281932f4564abada18e32328b0bafa7a504384070918a2d2b363078347366285a0cd36a4ca2cab250ebb25e74fd5080cec60d756694a22b7fdf6a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
272KB

MD5
145dc463c13d5aa110301a5af878861f

SHA1
03ac765745bc71bc8125e470135032a3539b1648

SHA256
3841497553881600d6d9fe9df932905bbf65ed3a7239a3f142cebc3fb0f148c9

SHA512
4408147b671c147feede1c3e7f01edd145755eeb69585b8fcb31344fa504d77a937d323c510e021e7cc75731da0ace1f49cc03a77907b412c02969c9adc2a07f

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
272KB

MD5
acafdd157abcb3750c7b2bd87d7e4b5b

SHA1
aec850bb76ec2d5874f8ea3572320dce31c11473

SHA256
56988d70ed68685fda99ea8546aaf6ef445ebf191bce4a1899ca8287c9b81e93

SHA512
dd073a91784c3f3a85d04ef12fef83802b18b6cd220e322311f15688271c8370d0e13e77fe7355240ed4e19e27cc0cfcc4f0850c8e163b380adde3d89b0b41af

Download Submit
\Windows\SysWOW64\shell.exe

Filesize
272KB

MD5
590036e9c05e5fbe39fd9ecba6249fa0

SHA1
f845478fbe8cbec0a2561cf5217809bf653de4f9

SHA256
955ce3a17bbd74e022fe56bd9b78b7da0ef898df601813fdb81cf426f7f6435b

SHA512
02e66b117eaeb2eab07b11a1dfde9ade41ed9b4c4d57a302ac7e5ef4419922d5775377675c5bccddf637d754507d019775d9367c056c2ada23ce2590ab02200f

Download Submit
memory/492-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/564-755-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/608-881-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/680-408-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/680-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/684-961-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/688-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/876-295-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1012-991-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1148-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1428-642-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1448-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1448-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1476-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1520-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1556-557-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1596-350-0x0000000002680000-0x00000000026C4000-memory.dmp

Filesize
272KB

Download
memory/1596-349-0x0000000002680000-0x00000000026C4000-memory.dmp

Filesize
272KB

Download
memory/1596-399-0x0000000002680000-0x00000000026C4000-memory.dmp

Filesize
272KB

Download
memory/1596-504-0x0000000002680000-0x00000000026C4000-memory.dmp

Filesize
272KB

Download
memory/1596-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-362-0x0000000002680000-0x00000000026C4000-memory.dmp

Filesize
272KB

Download
memory/1596-341-0x0000000002680000-0x00000000026C4000-memory.dmp

Filesize
272KB

Download
memory/1596-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-500-0x0000000002680000-0x00000000026C4000-memory.dmp

Filesize
272KB

Download
memory/1596-334-0x0000000002680000-0x00000000026C4000-memory.dmp

Filesize
272KB

Download
memory/1596-488-0x0000000002680000-0x00000000026C4000-memory.dmp

Filesize
272KB

Download
memory/1804-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1808-361-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-436-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-369-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-508-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-470-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-444-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-507-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-451-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-400-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1808-340-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-455-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-320-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1808-438-0x0000000002760000-0x00000000027A4000-memory.dmp

Filesize
272KB

Download
memory/1920-367-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-493-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-100-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-724-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1948-498-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1948-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1968-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1976-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2104-857-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2104-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2104-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2116-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-142-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/2132-98-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/2132-209-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/2132-144-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/2132-182-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/2132-282-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/2132-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-99-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/2132-198-0x00000000026B0000-0x00000000026F4000-memory.dmp

Filesize
272KB

Download
memory/2132-141-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2160-681-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2176-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-186-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2184-139-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2292-924-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2324-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-396-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2392-276-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-439-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2412-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2456-509-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2456-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2460-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2504-110-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2504-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-828-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2592-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2592-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2644-796-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2676-594-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2688-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-489-0x0000000002870000-0x00000000028B4000-memory.dmp

Filesize
272KB

Download
memory/2792-620-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2792-492-0x0000000002870000-0x00000000028B4000-memory.dmp

Filesize
272KB

Download
memory/2792-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-506-0x0000000002870000-0x00000000028B4000-memory.dmp

Filesize
272KB

Download
memory/2792-505-0x0000000002870000-0x00000000028B4000-memory.dmp

Filesize
272KB

Download
memory/2792-1025-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2792-398-0x0000000002870000-0x00000000028B4000-memory.dmp

Filesize
272KB

Download
memory/2792-351-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-477-0x0000000002870000-0x00000000028B4000-memory.dmp

Filesize
272KB

Download
memory/2896-342-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2896-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2896-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2928-474-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2928-473-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2952-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2952-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2956-494-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2956-496-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2956-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2956-495-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2964-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2964-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3056-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download