14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Size

488KB
MD5

8f7a814c55bc34d86973592e70330420
SHA1

be93e306fe6e93814b1a84db2d0108d912522884
SHA256

14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9
SHA512

155df712d078de1d23afafdaf0637afeb71ec3571ce6b7edbfd5d032b712b4d2545e9cff44d16a20184e7d3863168feb9a2ca3fa13a044c7906b1d602e264e3d
SSDEEP

12288:V/M9/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V6K2O2HIBEd7M

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
1984	Tiwi.exe
2972	IExplorer.exe
2156	Tiwi.exe
2420	Tiwi.exe
2980	IExplorer.exe
2000	IExplorer.exe
684	Tiwi.exe
980	winlogon.exe
2308	winlogon.exe
3052	IExplorer.exe
2456	winlogon.exe
2448	imoet.exe
2508	imoet.exe
2496	imoet.exe
1048	cute.exe
880	cute.exe
2788	cute.exe
2760	Tiwi.exe
2624	Tiwi.exe
2660	winlogon.exe
2600	IExplorer.exe
3016	IExplorer.exe
2960	Tiwi.exe
1952	imoet.exe
2084	winlogon.exe
792	winlogon.exe
2608	IExplorer.exe
2616	imoet.exe
2648	cute.exe
2924	cute.exe
2904	imoet.exe
2376	winlogon.exe
2148	imoet.exe
2180	cute.exe
572	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
1984	Tiwi.exe
1984	Tiwi.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
1984	Tiwi.exe
1984	Tiwi.exe
2972	IExplorer.exe
2972	IExplorer.exe
2972	IExplorer.exe
2972	IExplorer.exe
1984	Tiwi.exe
1984	Tiwi.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2972	IExplorer.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2972	IExplorer.exe
2972	IExplorer.exe
1984	Tiwi.exe
2972	IExplorer.exe
1984	Tiwi.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2308	winlogon.exe
2308	winlogon.exe
2448	imoet.exe
2448	imoet.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2308	winlogon.exe
2448	imoet.exe
2448	imoet.exe
880	cute.exe
880	cute.exe
2448	imoet.exe
2448	imoet.exe
2448	imoet.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
2308	winlogon.exe
2308	winlogon.exe
880	cute.exe
880	cute.exe
880	cute.exe
880	cute.exe
2308	winlogon.exe
2308	winlogon.exe
880	cute.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\Z:	imoet.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\T:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\K:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\R:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\Y:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\X:	imoet.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\J:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\L:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\X:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\V:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\R:	imoet.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\Q:	imoet.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\E:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\N:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\U:	imoet.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\Q:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\X:	Tiwi.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\P:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened (read-only)	\??\W:	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened for modification	C:\autorun.inf	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File created	F:\autorun.inf	IExplorer.exe
File opened for modification	F:\autorun.inf	IExplorer.exe
File created	F:\autorun.inf	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened for modification	F:\autorun.inf	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\shell.exe	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\tiwi.scr	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\tiwi.exe	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	Tiwi.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1984	Tiwi.exe
2448	imoet.exe
2308	winlogon.exe
2972	IExplorer.exe
880	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
1984	Tiwi.exe
2972	IExplorer.exe
2156	Tiwi.exe
2980	IExplorer.exe
2420	Tiwi.exe
2000	IExplorer.exe
684	Tiwi.exe
2308	winlogon.exe
3052	IExplorer.exe
980	winlogon.exe
2456	winlogon.exe
2448	imoet.exe
2508	imoet.exe
2496	imoet.exe
880	cute.exe
2788	cute.exe
2760	Tiwi.exe
1048	cute.exe
2624	Tiwi.exe
2660	winlogon.exe
2600	IExplorer.exe
3016	IExplorer.exe
2960	Tiwi.exe
1952	imoet.exe
2084	winlogon.exe
792	winlogon.exe
2616	imoet.exe
2608	IExplorer.exe
2924	cute.exe
2648	cute.exe
2376	winlogon.exe
2904	imoet.exe
2148	imoet.exe
2180	cute.exe
572	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1984	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	30
PID 2240 wrote to memory of 1984	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	30
PID 2240 wrote to memory of 1984	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	30
PID 2240 wrote to memory of 1984	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	30
PID 2240 wrote to memory of 2972	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	31
PID 2240 wrote to memory of 2972	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	31
PID 2240 wrote to memory of 2972	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	31
PID 2240 wrote to memory of 2972	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	31
PID 2240 wrote to memory of 2156	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	33
PID 2240 wrote to memory of 2156	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	33
PID 2240 wrote to memory of 2156	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	33
PID 2240 wrote to memory of 2156	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	33
PID 1984 wrote to memory of 2420	1984	Tiwi.exe	32
PID 1984 wrote to memory of 2420	1984	Tiwi.exe	32
PID 1984 wrote to memory of 2420	1984	Tiwi.exe	32
PID 1984 wrote to memory of 2420	1984	Tiwi.exe	32
PID 2240 wrote to memory of 2980	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	34
PID 2240 wrote to memory of 2980	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	34
PID 2240 wrote to memory of 2980	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	34
PID 2240 wrote to memory of 2980	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	34
PID 1984 wrote to memory of 2000	1984	Tiwi.exe	35
PID 1984 wrote to memory of 2000	1984	Tiwi.exe	35
PID 1984 wrote to memory of 2000	1984	Tiwi.exe	35
PID 1984 wrote to memory of 2000	1984	Tiwi.exe	35
PID 2240 wrote to memory of 980	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	36
PID 2240 wrote to memory of 980	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	36
PID 2240 wrote to memory of 980	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	36
PID 2240 wrote to memory of 980	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	36
PID 2972 wrote to memory of 684	2972	IExplorer.exe	37
PID 2972 wrote to memory of 684	2972	IExplorer.exe	37
PID 2972 wrote to memory of 684	2972	IExplorer.exe	37
PID 2972 wrote to memory of 684	2972	IExplorer.exe	37
PID 1984 wrote to memory of 2308	1984	Tiwi.exe	38
PID 1984 wrote to memory of 2308	1984	Tiwi.exe	38
PID 1984 wrote to memory of 2308	1984	Tiwi.exe	38
PID 1984 wrote to memory of 2308	1984	Tiwi.exe	38
PID 2972 wrote to memory of 3052	2972	IExplorer.exe	39
PID 2972 wrote to memory of 3052	2972	IExplorer.exe	39
PID 2972 wrote to memory of 3052	2972	IExplorer.exe	39
PID 2972 wrote to memory of 3052	2972	IExplorer.exe	39
PID 2972 wrote to memory of 2456	2972	IExplorer.exe	40
PID 2972 wrote to memory of 2456	2972	IExplorer.exe	40
PID 2972 wrote to memory of 2456	2972	IExplorer.exe	40
PID 2972 wrote to memory of 2456	2972	IExplorer.exe	40
PID 1984 wrote to memory of 2448	1984	Tiwi.exe	41
PID 1984 wrote to memory of 2448	1984	Tiwi.exe	41
PID 1984 wrote to memory of 2448	1984	Tiwi.exe	41
PID 1984 wrote to memory of 2448	1984	Tiwi.exe	41
PID 2240 wrote to memory of 2496	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	42
PID 2240 wrote to memory of 2496	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	42
PID 2240 wrote to memory of 2496	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	42
PID 2240 wrote to memory of 2496	2240	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe	42
PID 2972 wrote to memory of 2508	2972	IExplorer.exe	43
PID 2972 wrote to memory of 2508	2972	IExplorer.exe	43
PID 2972 wrote to memory of 2508	2972	IExplorer.exe	43
PID 2972 wrote to memory of 2508	2972	IExplorer.exe	43
PID 2972 wrote to memory of 880	2972	IExplorer.exe	44
PID 2972 wrote to memory of 880	2972	IExplorer.exe	44
PID 2972 wrote to memory of 880	2972	IExplorer.exe	44
PID 2972 wrote to memory of 880	2972	IExplorer.exe	44
PID 1984 wrote to memory of 1048	1984	Tiwi.exe	45
PID 1984 wrote to memory of 1048	1984	Tiwi.exe	45
PID 1984 wrote to memory of 1048	1984	Tiwi.exe	45
PID 1984 wrote to memory of 1048	1984	Tiwi.exe	45

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

C:\Users\Admin\AppData\Local\Temp\14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe
"C:\Users\Admin\AppData\Local\Temp\14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1984
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2420
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2000
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2308
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2760
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2600
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2084
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2904
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2180
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2448
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2624
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3016
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:792
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2616
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2648
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1048
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2972
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:684
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3052
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2456
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2508
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:880
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2960
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2608
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2376
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2148
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:572
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2156
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2980
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:980
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2496
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2788
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2660
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
c8d2516990fa4331c02e7aaf01f01908

SHA1
f7887c9af02d032a3ae79396ed6067d17cde2370

SHA256
7eb8fc47dd5901d584c52589d84e0e364496bebf50c91da392d33d8b61b82bfe

SHA512
010375abe328ec980e519123e371fecd54a82064eeafedd6f9f8556649c7a4b3109d62300d15ee017fea52513aabe6b5f9b1ac951c2fbce4ee0f21d2d663a7a8

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
4e6083e07fc7df412b71a920a0d88700

SHA1
80eec5b492705fcfd5f72e8a54c0aafaf4eee4c1

SHA256
eb87bf5b044bf892c87ec0596c836434c280f906f9d3c55ad94392f331bb79f4

SHA512
5ab7a8ba85c56ddcff3a45281b8c64df9f9e160498da9735ee2ee6f1acc340a576f615701c7f226325d9cb4a8c9c61e3a2903255f76e8cee5d7dea2eb70d5304

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
593ef36d509e81f88762b72898b5ccc5

SHA1
bf34b981fee4ae675faa18064b4f4e4b6906f518

SHA256
896c8cd4f5f0d4122262a9e6c229d97e56c89e933f60b587b9f02e17ab9428b2

SHA512
b4127e8d97b07475fe21a58faa155c5b3dd5663024f993ea554ea00a387c3c8db007e7a64eff5e6bb2709e750411143d4d525808a34f569d948259bea634bf35

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
801fa9eecad9b7250dde2684b4f06769

SHA1
741d1633e66c69faf93fb5246d4dbfe15d9ccfc8

SHA256
e44c835833f1d97a6e1d024c9a39f21783d3304cc5aaa937578cf8c6c1f667e2

SHA512
f9c7eceb5554155239c0926c8997ca10b4b73d0ab9e3ef735f1fecf69fb4c5f4a88a7591de294c64bddf45d01290b75279bec0d3d9caf956bb7734653f0431b4

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
488KB

MD5
eddbc21c875d602ed15018c5ead60e72

SHA1
d38c24e0ea300c0cc7b03421d6b08331c75babd7

SHA256
8bc8e5b85abe638500ae9dc816680bfa77a7b20c44c1c8e76e92830c54c8d529

SHA512
b39289bdd55bd78d36c041735eb9c7a2b38f4e3a0f4985ceb7620f58e388b5866f12b19dfc44bbddbb86d0b2a35886a312cd22780ac31c6097871ad17fc6b4a9

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
488KB

MD5
5749d79256015cd88dd8266e26a109f0

SHA1
c6f033d14c10a19e2a92ff3db209929e0135ff40

SHA256
2d1d4f1cc42a0f6d19163c75e4bb649ff785297660dbb8171b0ece1dd7f594e0

SHA512
100f01ace0d8ae8bdd98376119ddda0d9c8b0f976551a984479b9b84951c8cc1783555794eee330c071f29548bb54fe1581af3dcd6178d90d87dc8600f2a516f

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
488KB

MD5
d87ce957485413f4ef4bee6da7b62515

SHA1
5b0057379764692de8db7fdd1d185713a1760677

SHA256
605cd975c046131d65bee9af6797d6484182e7f843f94bb719d171548a0d7100

SHA512
4fc79585bcd8c2c9738895a9beedf3b369848390cadab271f95e9f2bd2923ff6168fec07325b575f7ec862a55bd236179b7e69d5d206c2ab4a73c4ef9549fd25

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
319693ebca3c1ef5e3a0ca62996da958

SHA1
457e0e3452af4daa9fdb6d81b30251893451a131

SHA256
6637524f77b59fdf35e63eaf6cf008edb97139ad554ec847477aeff881921c06

SHA512
429f33fb0b95c7e086beeccd74ee4736a32a52b8176684e51d3b0c04edab31b3ea8e2dc72335ca164934bc103e2552aa567e728b4d2a64755b627bcaab3a4025

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
0b0d982615c6c6ec6404fba083d6ff2f

SHA1
512ca96a63f3e1fca24992efc276238f169dc85e

SHA256
3208b9fbb93d6f850550d86562f26ddcc727fd64084086dda8f4e96524ce4861

SHA512
85befc99c98f6333c2f2d8710d94aab23898e883241fe64406c1e74849d4d7ed7b50f8ad0e63ea0b5be28477318f0e701900dec854adab7c1d0287e6e43a6a79

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
488KB

MD5
5362af7846d8771ce97ac1d407f8326d

SHA1
1d7f5cb2e79d71130d07fdeefbe0511f85c83bb4

SHA256
31091e59cff45a6d8dbdae5489dfc7304da902dcf501d27fe8598222af9d58fb

SHA512
5112fe8fddd7847fa41b14a67843979971e58dde401d7dd04f00140b117f0e96f5106aa8dd5d68827e233076000155c2465d429b7d8c88c551175fb1266a3e5c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
488KB

MD5
34cfe50bcc28cc1e0c2a8784fd2957af

SHA1
47154fbad6203b03bc7ca512fe12eb2a8ab6c6a4

SHA256
ace0ff77d4c4ca914697b43f579a628786727a4f18b09f7cfcbb024b72f0d629

SHA512
3a62cf52e5720b9793fc943dac3e4d771a49e9abf6fc8da2f45c2b8584840e58dcb7223ed59ce5c52071fd362cc5081fe626a421c42de83e7746b8c5ac5038b9

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
f9b8e31f9f99433d155a469d75d8c78e

SHA1
957ab19502d1aa2b3db5abcdb4687da937205d31

SHA256
0178cbd5e8b87877a40d22e59d7e93a4a02a3ac45239f8f33ea16aea0d751fbe

SHA512
90b24d0389484f91edc9790c7a3ce349c4f5b9497189de7f02340b8449a5b60ebf1be9ebbd4461e7082fa7f3b4440833fe531e05a9d13598e87dd865170365e9

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
a24e9801edd2ee4854cabf54c2829ad5

SHA1
f231e94278d6cb21684959a20586ccf26f24301f

SHA256
5248182612609c7683e37deaad6526bb2dc98fa032b063ebb6eab61d8ddca358

SHA512
6d2b468a86f0cbb93d6ebefa8111df2f1e6399a7c6dd1c1997537baa982c6e4325d46b59977be5ff39f7de9ed694adb77738109c140c363f7b36ea5b13a3de56

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
920760a0bb0c7a62dd26442fee98ff14

SHA1
fe9e34a9d817023fe6641812911cf5551e46ec5c

SHA256
e351dd4027461c52ee8b97f38f9d0e700ad50f7c2db74534201905f70b2f46fa

SHA512
a0c19e73d322411af4c916efbf099886670e7d99c140cc624f8468356e102e0a879abf0459993fa10b6b30d2e29bb7de531a7f620cbe7e256f87c9de665c7c4f

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
7a773222edc4e04af522820c568e500a

SHA1
262dae382b46a174e9dafb26b3dfa16ce59ca158

SHA256
9c847aa4eadaa67ea4e9f4494ce288ae2a7489c4607ac7fa3cb3166ae6b190a0

SHA512
fdb514624a39ba7d64179082ae62693989584691140f778be28bcdbd3be7a1c82e1760012f43617ae057142f115c372787c089e4e2938e4217fb5089e1beebf3

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
fac4b2b15b50e245a2065248fd1af5a8

SHA1
aecc306f7c1db77a003a66c8a277c18ac5920b7a

SHA256
b16dc0200a3bd6fe0f692cc1cbc260d996fbdee8096dddaa4c2aaa2c76e1497e

SHA512
e60faa9a5b12df44d12d90f0680b57dcd1f966aa20e44673b748b10ef9bca1d79a04f81232e3b37b5dba2dd6e585779b98bd605db436894bd97ac247fe67df67

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
088eb854587c910658a1f267857e8fd4

SHA1
75e285ed39da922efdf9064551b3b7f75c3fb10e

SHA256
35117de55804062f467797f31cfa5f7e4edf8631ded97f56f732458c83683cc1

SHA512
017e9e7f14898e13fa6e67490c35edce215103d602664fc26aad3c844f6330ce7e9e372e6ffc2e60ffbd2114ffe5ac701acc23e0427d64b5dfe926fbad15f721

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
8f7a814c55bc34d86973592e70330420

SHA1
be93e306fe6e93814b1a84db2d0108d912522884

SHA256
14146d56f00d6b518813525600fbf667f520fd3c9b42b32eb16f1620147747d9

SHA512
155df712d078de1d23afafdaf0637afeb71ec3571ce6b7edbfd5d032b712b4d2545e9cff44d16a20184e7d3863168feb9a2ca3fa13a044c7906b1d602e264e3d

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
47f2aa35581ea985b1697713777a1e9c

SHA1
356121f1a7a18e0199b89128590b6513561b3c85

SHA256
6ddf895d7f2d4bbaf31191a7634a80443587d9e304e9f4c5390ddc2b082579fb

SHA512
53f3467a2c8c2ad77fe5862650343dea8707819540ac0136bdf7b585fe144fa98e4e6de56f4cafc95a813e44ca7639baba695017342eadb63b3d13e89ef18608

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
50498f07b9761781e52c7abea0de0b8d

SHA1
79f827bc787078984b18ef4c10cc5a29f43cc2fd

SHA256
61b4151f47dd730e6e5e7f274f870a18a845a75e12cb3acbc9b804c4bc3090da

SHA512
4872fcd705aa4bf5b90ddddb94a6e367ffb419da4411cef07af27a9d975233c708ea881dce14b65c24b6587a870154f0ba74effcd2d854cfdd1efe715e3a3cfb

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
fbc40b76b3a7cd184b8455f400afea7d

SHA1
0edb52b3507a228ff4c27a82f8dc28cd57613a08

SHA256
93b8b0f42ace7598853028943729454caea5b73690de586075ba59682688e559

SHA512
e55e9829b86da9dadc9468f36097b183beb1218575cbc47ed96153cbe741bb3dad9a476de1ed0d38ae329b4f43ce43e27e43eac92bc339f88d2c2f4bd947cb0e

Download Submit
C:\Windows\tiwi.exe

Filesize
488KB

MD5
537811d1d67cb43d6176e5a5353387c8

SHA1
4451eea534b4ab7aae184ce484d9dc9ed077ff14

SHA256
a8ce69a416c8eeb3a762665b9662e669e5510f305535d4b08b75138c6befa635

SHA512
c6d6cbdbce631027b56af3a88bd5213f483e8de02ece220d85c9e7715f0ab759f3060ff3fb59d46a89680937ab1301f0aa7bf2e94d18568949359e6f9f2b8d5b

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
bccc806835790a37b0a9724ecaf4308a

SHA1
2e191be375657a1ce2684eed28e79dc272c80595

SHA256
74649d059f0f877617fadd5b369464e7775d85587078696082f4cc1d41bb6acd

SHA512
adf69e18e702470959a496f948636d3a48ba0f958b2c717e84d4b74f15546399034ff60d7b83013f497f5bb999b2040d566c14cd0f1e65670b27a8b02d75c40e

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
60589bea4312cfc967cf244d95f2bfa6

SHA1
695d4678b657960d48f4709cc0e550ce14162bdd

SHA256
493f13c7174c3fecb5e0b9df0ccbcdf389d607c45d50fa2eabab3be0bc4a1198

SHA512
550fcd61b0f5bb3ff09cbf05246984d4e22421cbe6e1effed8afd495b111453141357ea0ca50a872d61456c9b38a3d4baaf9bdd70f7cd11a10911ea9acc3f6c4

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
e474eddb6a174264cca4bbcd34d67dd3

SHA1
eb4ec345a58fddf424dc5502fd64a586a63da4ad

SHA256
3fbf56ca7e88fd569802e5489d8ed79c685eb80ae9dc7c37433d7c72772e4709

SHA512
0d114ce036558c1e822ba6bb71c202297b5e61531d2f3f9adf117bd974f2eccda0e265c77a7b548e93bb6a35e0b4faee70bc59d327fb84825b28a9ac7e3143a0

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
488KB

MD5
a714fd8d65c9be242154db43bd5dbde7

SHA1
632238eb3b5226b4609b295d0b17de5e4c5a81b8

SHA256
7c8bd37b3742469060551c8cfca8012f8a22827c53672407de186031f79c9e06

SHA512
b5220ffd0d91ed0fcfa89798519f04f2e8f051c1a8332e85f14ee8651ed328d9534ae7f49ef83acf4f8672610375813fed18d16845cb2b56e802a78fdb896596

Download Submit
memory/684-288-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/684-284-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1952-418-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1984-236-0x0000000003850000-0x0000000003E4F000-memory.dmp

Filesize
6.0MB

Download
memory/1984-235-0x0000000003850000-0x0000000003E4F000-memory.dmp

Filesize
6.0MB

Download
memory/1984-237-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1984-100-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2000-238-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2000-260-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2148-439-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2156-211-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2156-212-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2156-205-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2240-99-0x0000000003880000-0x0000000003E7F000-memory.dmp

Filesize
6.0MB

Download
memory/2240-215-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2240-98-0x0000000003880000-0x0000000003E7F000-memory.dmp

Filesize
6.0MB

Download
memory/2240-111-0x0000000003880000-0x0000000003E7F000-memory.dmp

Filesize
6.0MB

Download
memory/2240-109-0x0000000003880000-0x0000000003E7F000-memory.dmp

Filesize
6.0MB

Download
memory/2240-431-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2240-220-0x0000000003880000-0x0000000003E7F000-memory.dmp

Filesize
6.0MB

Download
memory/2240-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2240-216-0x0000000003980000-0x0000000003F7F000-memory.dmp

Filesize
6.0MB

Download
memory/2420-207-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2420-224-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2420-225-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2600-411-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2600-412-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2624-389-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2648-433-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2648-432-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2760-410-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2960-422-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2972-417-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2972-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2980-219-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2980-223-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download