d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74e

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Size

488KB
MD5

24bc92778dc6cd95a15e44bd2775d270
SHA1

aa21996dc392e3807e7d7c93f0d69676087488c1
SHA256

d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74e
SHA512

c5c85ceb18913c42f1bbbb4d9ce2d56a3bc8b597e680a834538222b9f24fc4df956af376ff0469d107d0c9d414e8c8e0c8c3ae91d76e4fcc463858d9a0f33adb
SSDEEP

12288:V/Mk/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V/K2O2HIBEd7M

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
2596	Tiwi.exe
3008	IExplorer.exe
1964	Tiwi.exe
2740	Tiwi.exe
2868	IExplorer.exe
2516	IExplorer.exe
1716	Tiwi.exe
2300	winlogon.exe
1356	winlogon.exe
2272	imoet.exe
2084	imoet.exe
2240	cute.exe
3052	IExplorer.exe
2612	cute.exe
2624	winlogon.exe
2640	winlogon.exe
2076	Tiwi.exe
2584	Tiwi.exe
2540	imoet.exe
2532	imoet.exe
2656	IExplorer.exe
2604	IExplorer.exe
1476	cute.exe
572	winlogon.exe
1564	Tiwi.exe
2288	cute.exe
2728	imoet.exe
1496	IExplorer.exe
2772	winlogon.exe
3020	imoet.exe
3016	winlogon.exe
2620	cute.exe
2188	imoet.exe
956	cute.exe
2152	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
2596	Tiwi.exe
2596	Tiwi.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
2596	Tiwi.exe
2596	Tiwi.exe
2596	Tiwi.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
2596	Tiwi.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
3008	IExplorer.exe
3008	IExplorer.exe
2596	Tiwi.exe
2596	Tiwi.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
3008	IExplorer.exe
3008	IExplorer.exe
3008	IExplorer.exe
3008	IExplorer.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
2300	winlogon.exe
2300	winlogon.exe
2272	imoet.exe
2272	imoet.exe
3008	IExplorer.exe
3008	IExplorer.exe
2300	winlogon.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
2240	cute.exe
2240	cute.exe
2300	winlogon.exe
2300	winlogon.exe
2272	imoet.exe
2272	imoet.exe
2272	imoet.exe
2240	cute.exe
2240	cute.exe
2300	winlogon.exe
2300	winlogon.exe
2240	cute.exe
2240	cute.exe
2272	imoet.exe
2272	imoet.exe
2240	cute.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\N:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\X:	imoet.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\L:	cute.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\E:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\R:	imoet.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\I:	cute.exe
File opened (read-only)	\??\J:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\M:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\Z:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\V:	imoet.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\G:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\K:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\U:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\X:	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\S:	Tiwi.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File created	F:\autorun.inf	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened for modification	F:\autorun.inf	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File created	C:\autorun.inf	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File created	C:\Windows\SysWOW64\tiwi.scr	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\s1159 = "Tiwi"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2596	Tiwi.exe
2272	imoet.exe
2300	winlogon.exe
3008	IExplorer.exe
2240	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
2596	Tiwi.exe
3008	IExplorer.exe
1964	Tiwi.exe
2740	Tiwi.exe
2868	IExplorer.exe
2300	winlogon.exe
2516	IExplorer.exe
1356	winlogon.exe
2272	imoet.exe
1716	Tiwi.exe
2084	imoet.exe
2240	cute.exe
3052	IExplorer.exe
2612	cute.exe
2640	winlogon.exe
2624	winlogon.exe
2584	Tiwi.exe
2076	Tiwi.exe
2532	imoet.exe
2656	IExplorer.exe
2540	imoet.exe
1476	cute.exe
572	winlogon.exe
2604	IExplorer.exe
1564	Tiwi.exe
2288	cute.exe
2772	winlogon.exe
1496	IExplorer.exe
2728	imoet.exe
3016	winlogon.exe
2620	cute.exe
3020	imoet.exe
2188	imoet.exe
956	cute.exe
2152	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 2596	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	31
PID 944 wrote to memory of 2596	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	31
PID 944 wrote to memory of 2596	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	31
PID 944 wrote to memory of 2596	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	31
PID 944 wrote to memory of 3008	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	32
PID 944 wrote to memory of 3008	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	32
PID 944 wrote to memory of 3008	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	32
PID 944 wrote to memory of 3008	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	32
PID 944 wrote to memory of 1964	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	33
PID 944 wrote to memory of 1964	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	33
PID 944 wrote to memory of 1964	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	33
PID 944 wrote to memory of 1964	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	33
PID 2596 wrote to memory of 2740	2596	Tiwi.exe	34
PID 2596 wrote to memory of 2740	2596	Tiwi.exe	34
PID 2596 wrote to memory of 2740	2596	Tiwi.exe	34
PID 2596 wrote to memory of 2740	2596	Tiwi.exe	34
PID 944 wrote to memory of 2868	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	35
PID 944 wrote to memory of 2868	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	35
PID 944 wrote to memory of 2868	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	35
PID 944 wrote to memory of 2868	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	35
PID 2596 wrote to memory of 2516	2596	Tiwi.exe	37
PID 2596 wrote to memory of 2516	2596	Tiwi.exe	37
PID 2596 wrote to memory of 2516	2596	Tiwi.exe	37
PID 2596 wrote to memory of 2516	2596	Tiwi.exe	37
PID 3008 wrote to memory of 1716	3008	IExplorer.exe	36
PID 3008 wrote to memory of 1716	3008	IExplorer.exe	36
PID 3008 wrote to memory of 1716	3008	IExplorer.exe	36
PID 3008 wrote to memory of 1716	3008	IExplorer.exe	36
PID 944 wrote to memory of 2300	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	38
PID 944 wrote to memory of 2300	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	38
PID 944 wrote to memory of 2300	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	38
PID 944 wrote to memory of 2300	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	38
PID 2596 wrote to memory of 1356	2596	Tiwi.exe	39
PID 2596 wrote to memory of 1356	2596	Tiwi.exe	39
PID 2596 wrote to memory of 1356	2596	Tiwi.exe	39
PID 2596 wrote to memory of 1356	2596	Tiwi.exe	39
PID 2596 wrote to memory of 2084	2596	Tiwi.exe	40
PID 2596 wrote to memory of 2084	2596	Tiwi.exe	40
PID 2596 wrote to memory of 2084	2596	Tiwi.exe	40
PID 2596 wrote to memory of 2084	2596	Tiwi.exe	40
PID 944 wrote to memory of 2272	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	41
PID 944 wrote to memory of 2272	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	41
PID 944 wrote to memory of 2272	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	41
PID 944 wrote to memory of 2272	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	41
PID 944 wrote to memory of 2240	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	42
PID 944 wrote to memory of 2240	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	42
PID 944 wrote to memory of 2240	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	42
PID 944 wrote to memory of 2240	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	42
PID 3008 wrote to memory of 3052	3008	IExplorer.exe	43
PID 3008 wrote to memory of 3052	3008	IExplorer.exe	43
PID 3008 wrote to memory of 3052	3008	IExplorer.exe	43
PID 3008 wrote to memory of 3052	3008	IExplorer.exe	43
PID 2596 wrote to memory of 2612	2596	Tiwi.exe	44
PID 2596 wrote to memory of 2612	2596	Tiwi.exe	44
PID 2596 wrote to memory of 2612	2596	Tiwi.exe	44
PID 2596 wrote to memory of 2612	2596	Tiwi.exe	44
PID 944 wrote to memory of 2624	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	45
PID 944 wrote to memory of 2624	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	45
PID 944 wrote to memory of 2624	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	45
PID 944 wrote to memory of 2624	944	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe	45
PID 3008 wrote to memory of 2640	3008	IExplorer.exe	46
PID 3008 wrote to memory of 2640	3008	IExplorer.exe	46
PID 3008 wrote to memory of 2640	3008	IExplorer.exe	46
PID 3008 wrote to memory of 2640	3008	IExplorer.exe	46

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe

C:\Users\Admin\AppData\Local\Temp\d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe
"C:\Users\Admin\AppData\Local\Temp\d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74eN.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:944
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2596
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2740
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2516
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1356
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2084
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2612
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3008
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1716
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3052
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2640
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2532
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1476
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1964
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2868
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2300
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2584
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2656
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:572
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2620
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2272
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2076
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2604
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2772
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3020
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:956
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2240
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1564
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1496
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3016
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2188
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2152
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2624
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
488KB

MD5
ca2e1539c052fb163c5b390aaa4d7ef3

SHA1
57f423029f0a586733af6680f151b67178e89fd7

SHA256
0e605692ca2069f49a73c4dab64015130900c34bc587b62f7fd215ee1f8c62c8

SHA512
00efac6b6ac591c7430d2a66d96df9c05df9162eec905d65fbd6d29ed063affdf8874d6e6d4a46ac9b7d9c90fdfc1224ef63b58a7a2b96c59c88d5df67c8cff1

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
51a81b2d55ed92753a2e4ee75505c34e

SHA1
5e84a3af0f9cba57a68b18384bb36d88fb56ee45

SHA256
16812f3fe7d2f0e3d76de5262ccf59d7b4e059f4c746d460dc342270b449911e

SHA512
ba7ddbd095083d526b0d08b6bac7cf7c53590b3ed3a3b9b9a1d31d82e48f8522d6aa83dd6b07d48876aa8395de7c68bddb949a69241811c200fabe74c33690c5

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
488KB

MD5
d43e581a25cf5716dc41e8055fe3d029

SHA1
e5c32fb642ffbc2f144dcceefc6f485d178c7b90

SHA256
debed3fa0597125ae8cde713ded5c219ad3dd1d9ef03a606c19707039954a73c

SHA512
9c879d31bfd0186aa2005a4c39de73dccb5982e78946a547544d1cf369d5840b2f515500acf5df82ca733b1b211a732af25b60481777235a80d2fadbbe80b3e8

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
8e060554d4248c2d1ea58bc6aae267df

SHA1
74ab1e96356a6cc7421d3a0b7c022229cfda229f

SHA256
7c1da7947551ff6063dc9ddc45627b4b434f07feade133f1e64b1b92b186d738

SHA512
459f388c923e031262363a0484a8c7177d6457547c70f98adba40373bdf978aacf20049f14ee5daf9d2028ff27aaa760b573d62e6e2f22a6796b09624ae26548

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
488KB

MD5
6df1aa6bf29a33f9bd5a0d16c6dcb109

SHA1
4d864028c87557fa83cf68272d7a6e5812135457

SHA256
cf92ab5f7ef90f7971192b6fcb3c420a04eccebab70866c75c372e20bec34959

SHA512
83b4a842fbe0d600164f3f0123be74a075e0456b9bcba776e34660a91d6d2a583ee8c7307b2d11619cfd0e3f15647a1308f66638fe672b9a0f1350d6e2617ef1

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
4810caec551d6ff73fd7f1b738752356

SHA1
3171453113e46b9938151dd1210650b4f141dea2

SHA256
08f1fc4748988ac403843eb7b7c0170306323519bb72d89b1d1d4b224ed0a224

SHA512
3eb6c1eca77e9c4b32fe206b8c9cb3d992b4071c8fd4eec6e8cc258819371e9b2e508c0b5e4deb83b7faad806116b8ca9aed0d225d1b17e8091a4a7dada519ff

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
3cb92aa0aedcfd85986dd2296c3d3348

SHA1
4ffec7b6807a87cbd512fc03d22d949bb3fb6d9f

SHA256
17d2d6622e96ec885d34964f52076b14e1821a6cffce183e70b550e53a210ca9

SHA512
9afb174f5a9e5ad565acb8195c0dc503ca31152ef05b2bb0128c86164b8bc27ecd81ba4195d8404dd5ed107a7829f86f48dc3d5968e6f0f2ccb598e7de86418b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
488KB

MD5
6f2b519144d81f7e58f1135b875790f3

SHA1
c25a5cc3d07ebe71f54481c867949333b7d2121e

SHA256
d0ef871a6cf9fa63c2ae847bd8b0e73d6e1ab9bb8e309299621e25806b4d9bbe

SHA512
615a4135a7081b05f3154646a66daadc6d374043d1e11ca7e85e13f01721af335f648d817795d7765eacd341e8b0121916c23d1676e6ae3999b16ce0f9fe50bc

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
d7fd94a84e91048dea13a15d7feb6a8b

SHA1
db42e7f7a7c1c4ec04284e7bab2684c8c4f493d6

SHA256
f4f5927004ccab0018a0078c02597135e13b7caa02661105d9aa00edd67f008c

SHA512
120965fea9f4166c4406938194eb435eb1d363b56b771fb2600303670fee43ef1287d7224bbffdb6eed94e5772973968b31e99cb20715bcd77ad6ce48714b362

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
26f5d0b4c015f70e1cddeceee0ad59fc

SHA1
86908a4ad6c8fdbddbaf49353259a5562c90506e

SHA256
9be8e4e8810a26e1e09bec75ed5fe453a47c05e655d42781e7000133f68f4310

SHA512
ae0126118ec3525570ff43ef02ccde5548465e70c32961876daff5fdedd49806b5d96453efaa3be669d5ac51e7b59ee4c0996346542cca7cd126cbcb7f0bb1d2

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
471dae711e20f2aac89a0efa4d9380b4

SHA1
5def9b5287b4c545fb4bd56b7844350b5c2de7f0

SHA256
00297ed9c856f38c32a1ca022121bf9a1efb810de2d20519ba3affd6438f4871

SHA512
18f53322f35e50a20e76662f0ab9a88724edfb1921fba2b55dc96de105d468ff8df66fdc0a42cc4ddcc6654a15b0f7b2151bc3f43a79d259b775a1cff5c694de

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
24bc92778dc6cd95a15e44bd2775d270

SHA1
aa21996dc392e3807e7d7c93f0d69676087488c1

SHA256
d8a0b979bea266e170e95983cead2e24a15f1ddda6551f5554ab68be86e2d74e

SHA512
c5c85ceb18913c42f1bbbb4d9ce2d56a3bc8b597e680a834538222b9f24fc4df956af376ff0469d107d0c9d414e8c8e0c8c3ae91d76e4fcc463858d9a0f33adb

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
b9af2f59451be5cdf74e74de864971e9

SHA1
c2601232f4219978126901603eeba2148a9852d5

SHA256
f695c64049577f1d07fcc102c919a23288f8cd66346f8c3805228e262a4a9826

SHA512
94382d6dc493cda72214e03be45c04cfe5871b671edb1e392b3199f58c278fb34f4f99bc3a15bbbf8ea016ff25b0d1f18d438d364e1164f4e1c2d61358be6733

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
ef61921419b360293d6e387ab576f0fc

SHA1
459fad0d5f7b04eeb22e6a4bca9d7881d079ed89

SHA256
50d35e27fcef29967f02513e3989197f9dda3ee0b1f1bf11b685c3ba7cfeb12b

SHA512
f84fddf668526ff3ad0ba52c2bdc4f8cae0c425bab1beb761f0d3e27b0e2534b03256aa742a5e5a0ad83b7f47b5edae596e1415d6731c14bd7cc627ff9fb6eb3

Download Submit
C:\Windows\tiwi.exe

Filesize
488KB

MD5
17cecf879445486e250e2cfa23ac8d86

SHA1
35e0ed845df5e721f8ea7a31037b7b7c7d7d04b4

SHA256
6b1254f1d76b6bd5e4071c3f7521360f5da8c9a903c03be7d56d0096f68fe88e

SHA512
caa1f493556c0edff7dec7fc432325f09d6efff190b448ea9ab6ee916c78c20e06db400209e361bb549eb4c0eb796bc07a476c115a4d4e34922c2d25ebef5143

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
782ab69381ff8c8f55ea1d58005f3d17

SHA1
4e8c423e24a6950f10d9c743c89c71e9a6b4e06c

SHA256
7001a88154af24a4a1388f881ecaa971650f8ab6aa4c8be3ffd5db1960fcdd77

SHA512
f69e1093ec0a8133e20b80a657f8d2a910d96585e17700cbf73637cc4714f32b2af745be470060c80543acae027dccdd43d525b04860f660af196f2ae57b1458

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
488KB

MD5
892443e78f3d5f25f3b9d47d7cac894c

SHA1
76405d2850295cf2189640d322bcb7fb5b407aca

SHA256
5a85a18ebd31488b47724c98b35ba7ce194f6400c6a8bd1451c4147541e79d07

SHA512
e40329178127ce4e299f9a342d228d7c9d5959fecb314d58a3076b4b94d40793a88ec2d7780f12ba1ffa68b7b793e9ce9c1ed5ac6c925346196f2e2153f751cf

Download Submit
memory/572-430-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/572-431-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/944-110-0x0000000003890000-0x0000000003E8F000-memory.dmp

Filesize
6.0MB

Download
memory/944-277-0x0000000003890000-0x0000000003E8F000-memory.dmp

Filesize
6.0MB

Download
memory/944-222-0x0000000003990000-0x0000000003F8F000-memory.dmp

Filesize
6.0MB

Download
memory/944-224-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/944-99-0x0000000003890000-0x0000000003E8F000-memory.dmp

Filesize
6.0MB

Download
memory/944-111-0x0000000003890000-0x0000000003E8F000-memory.dmp

Filesize
6.0MB

Download
memory/944-439-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/944-221-0x0000000003990000-0x0000000003F8F000-memory.dmp

Filesize
6.0MB

Download
memory/944-165-0x0000000003990000-0x0000000003F8F000-memory.dmp

Filesize
6.0MB

Download
memory/944-98-0x0000000003890000-0x0000000003E8F000-memory.dmp

Filesize
6.0MB

Download
memory/944-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1564-436-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1716-315-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1964-219-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1964-216-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1964-166-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2076-399-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2076-397-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2084-317-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2084-316-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2516-278-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2516-291-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2532-402-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2532-401-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2584-400-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2596-100-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2596-459-0x0000000003840000-0x0000000003E3F000-memory.dmp

Filesize
6.0MB

Download
memory/2596-281-0x0000000003840000-0x0000000003E3F000-memory.dmp

Filesize
6.0MB

Download
memory/2596-282-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2596-280-0x0000000003840000-0x0000000003E3F000-memory.dmp

Filesize
6.0MB

Download
memory/2596-458-0x0000000003840000-0x0000000003E3F000-memory.dmp

Filesize
6.0MB

Download
memory/2740-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2740-273-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2740-212-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2868-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2868-223-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3008-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3008-403-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3020-451-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download