Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe
Resource
win10v2004-20241007-en
General
-
Target
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe
-
Size
64KB
-
MD5
bb79e9d53044c165289a0386b625c770
-
SHA1
3e73cb3a3e35eb2d1c888ed542c14d0395f56460
-
SHA256
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8
-
SHA512
46a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c
-
SSDEEP
768:VNuG777/+V36n9PcXYvn8KR1I3NznRAQZlh4VkpX179r+R5rOwekflNuG777/+VS:V8w2VS9Eovn8KRgWmhZpX1QCwJ8w2VS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exewinlogon.exeimoet.execute.exeIExplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
Processes:
imoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
Processes:
cute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exewinlogon.exeimoet.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe -
Disables RegEdit via registry modification 6 IoCs
Processes:
imoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
Processes:
IExplorer.exewinlogon.exeimoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
Processes:
Tiwi.exeIExplorer.exeTiwi.exeTiwi.exeIExplorer.exeTiwi.exeIExplorer.exeIExplorer.exewinlogon.exewinlogon.exeimoet.exewinlogon.exeimoet.execute.exeimoet.execute.exeTiwi.execute.exeTiwi.exeIExplorer.exewinlogon.exeIExplorer.exeimoet.exeTiwi.execute.exewinlogon.exewinlogon.exeIExplorer.exeimoet.exeimoet.exewinlogon.execute.execute.exeimoet.execute.exepid process 1296 Tiwi.exe 300 IExplorer.exe 2844 Tiwi.exe 2936 Tiwi.exe 3064 IExplorer.exe 1932 Tiwi.exe 340 IExplorer.exe 1872 IExplorer.exe 1072 winlogon.exe 1580 winlogon.exe 3040 imoet.exe 2100 winlogon.exe 1404 imoet.exe 3052 cute.exe 1780 imoet.exe 2456 cute.exe 2764 Tiwi.exe 2776 cute.exe 2068 Tiwi.exe 632 IExplorer.exe 276 winlogon.exe 1828 IExplorer.exe 2960 imoet.exe 664 Tiwi.exe 2156 cute.exe 2120 winlogon.exe 2840 winlogon.exe 1648 IExplorer.exe 2732 imoet.exe 2912 imoet.exe 2324 winlogon.exe 2748 cute.exe 2760 cute.exe 2364 imoet.exe 1000 cute.exe -
Loads dropped DLL 53 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exepid process 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 1296 Tiwi.exe 1296 Tiwi.exe 300 IExplorer.exe 300 IExplorer.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 300 IExplorer.exe 300 IExplorer.exe 1296 Tiwi.exe 1296 Tiwi.exe 300 IExplorer.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 300 IExplorer.exe 300 IExplorer.exe 300 IExplorer.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 1296 Tiwi.exe 1296 Tiwi.exe 1296 Tiwi.exe 1296 Tiwi.exe 1072 winlogon.exe 1072 winlogon.exe 3040 imoet.exe 3040 imoet.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 1072 winlogon.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 3052 cute.exe 3052 cute.exe 3040 imoet.exe 3040 imoet.exe 3040 imoet.exe 1072 winlogon.exe 1072 winlogon.exe 3052 cute.exe 3052 cute.exe 3040 imoet.exe 3040 imoet.exe 1072 winlogon.exe 1072 winlogon.exe 3052 cute.exe 3052 cute.exe 3052 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
Processes:
cute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exewinlogon.exeimoet.exeIExplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
Tiwi.exewinlogon.exeimoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeIExplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
IExplorer.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeimoet.execute.exewinlogon.exedescription ioc process File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\G: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\Z: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\E: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\I: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\J: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\L: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\R: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\P: Tiwi.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\O: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\N: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\W: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\V: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\H: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\K: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\T: 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\P: IExplorer.exe -
Modifies WinLogon 2 TTPs 18 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exeimoet.execute.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
IExplorer.exedescription ioc process File created C:\autorun.inf IExplorer.exe File opened for modification C:\autorun.inf IExplorer.exe File created F:\autorun.inf IExplorer.exe File opened for modification F:\autorun.inf IExplorer.exe -
Drops file in System32 directory 40 IoCs
Processes:
IExplorer.exeTiwi.exeIExplorer.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeimoet.exewinlogon.exeIExplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\tiwi.scr 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\SysWOW64\shell.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe -
Drops file in Windows directory 26 IoCs
Processes:
winlogon.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeimoet.execute.exeTiwi.exeIExplorer.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exedescription ioc process File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\tiwi.exe 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
IExplorer.exeIExplorer.exeTiwi.exewinlogon.exeTiwi.exeimoet.execute.exeimoet.exeTiwi.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeTiwi.execute.exeIExplorer.exewinlogon.exewinlogon.execute.exeimoet.exewinlogon.exewinlogon.exeimoet.execute.exeimoet.exeTiwi.execute.exeTiwi.exeIExplorer.exewinlogon.exeIExplorer.exewinlogon.exeIExplorer.exeimoet.exeIExplorer.exeimoet.execute.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe -
Modifies Control Panel 54 IoCs
Processes:
Tiwi.exeimoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeIExplorer.exewinlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe -
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
Processes:
Tiwi.exeIExplorer.exewinlogon.exeimoet.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe -
Modifies registry class 64 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeIExplorer.exeimoet.execute.exewinlogon.exeTiwi.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exepid process 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
Tiwi.exeimoet.exewinlogon.exeIExplorer.execute.exepid process 1296 Tiwi.exe 3040 imoet.exe 1072 winlogon.exe 300 IExplorer.exe 3052 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exeTiwi.exeTiwi.exeIExplorer.exeTiwi.exeIExplorer.exeIExplorer.exewinlogon.exewinlogon.exeimoet.exeimoet.exewinlogon.execute.exeimoet.exeTiwi.execute.exeTiwi.exeIExplorer.exewinlogon.exeimoet.exeTiwi.exeIExplorer.execute.exewinlogon.exewinlogon.execute.exeIExplorer.exeimoet.exeimoet.exewinlogon.execute.execute.exeimoet.execute.exepid process 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe 1296 Tiwi.exe 300 IExplorer.exe 2844 Tiwi.exe 2936 Tiwi.exe 3064 IExplorer.exe 1932 Tiwi.exe 340 IExplorer.exe 1872 IExplorer.exe 1072 winlogon.exe 1580 winlogon.exe 3040 imoet.exe 1404 imoet.exe 2100 winlogon.exe 3052 cute.exe 1780 imoet.exe 2764 Tiwi.exe 2456 cute.exe 2068 Tiwi.exe 632 IExplorer.exe 276 winlogon.exe 2960 imoet.exe 664 Tiwi.exe 1828 IExplorer.exe 2156 cute.exe 2840 winlogon.exe 2120 winlogon.exe 2776 cute.exe 1648 IExplorer.exe 2732 imoet.exe 2912 imoet.exe 2324 winlogon.exe 2748 cute.exe 2760 cute.exe 2364 imoet.exe 1000 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exeTiwi.exeIExplorer.exedescription pid process target process PID 2092 wrote to memory of 1296 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 2092 wrote to memory of 1296 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 2092 wrote to memory of 1296 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 2092 wrote to memory of 1296 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 2092 wrote to memory of 300 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 2092 wrote to memory of 300 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 2092 wrote to memory of 300 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 2092 wrote to memory of 300 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 2092 wrote to memory of 2844 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 2092 wrote to memory of 2844 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 2092 wrote to memory of 2844 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 2092 wrote to memory of 2844 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Tiwi.exe PID 1296 wrote to memory of 2936 1296 Tiwi.exe Tiwi.exe PID 1296 wrote to memory of 2936 1296 Tiwi.exe Tiwi.exe PID 1296 wrote to memory of 2936 1296 Tiwi.exe Tiwi.exe PID 1296 wrote to memory of 2936 1296 Tiwi.exe Tiwi.exe PID 2092 wrote to memory of 3064 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 2092 wrote to memory of 3064 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 2092 wrote to memory of 3064 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 2092 wrote to memory of 3064 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe IExplorer.exe PID 300 wrote to memory of 1932 300 IExplorer.exe Tiwi.exe PID 300 wrote to memory of 1932 300 IExplorer.exe Tiwi.exe PID 300 wrote to memory of 1932 300 IExplorer.exe Tiwi.exe PID 300 wrote to memory of 1932 300 IExplorer.exe Tiwi.exe PID 1296 wrote to memory of 1872 1296 Tiwi.exe IExplorer.exe PID 1296 wrote to memory of 1872 1296 Tiwi.exe IExplorer.exe PID 1296 wrote to memory of 1872 1296 Tiwi.exe IExplorer.exe PID 1296 wrote to memory of 1872 1296 Tiwi.exe IExplorer.exe PID 300 wrote to memory of 340 300 IExplorer.exe IExplorer.exe PID 300 wrote to memory of 340 300 IExplorer.exe IExplorer.exe PID 300 wrote to memory of 340 300 IExplorer.exe IExplorer.exe PID 300 wrote to memory of 340 300 IExplorer.exe IExplorer.exe PID 2092 wrote to memory of 1072 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 2092 wrote to memory of 1072 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 2092 wrote to memory of 1072 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 2092 wrote to memory of 1072 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe winlogon.exe PID 300 wrote to memory of 1580 300 IExplorer.exe winlogon.exe PID 300 wrote to memory of 1580 300 IExplorer.exe winlogon.exe PID 300 wrote to memory of 1580 300 IExplorer.exe winlogon.exe PID 300 wrote to memory of 1580 300 IExplorer.exe winlogon.exe PID 1296 wrote to memory of 2100 1296 Tiwi.exe winlogon.exe PID 1296 wrote to memory of 2100 1296 Tiwi.exe winlogon.exe PID 1296 wrote to memory of 2100 1296 Tiwi.exe winlogon.exe PID 1296 wrote to memory of 2100 1296 Tiwi.exe winlogon.exe PID 2092 wrote to memory of 1404 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 2092 wrote to memory of 1404 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 2092 wrote to memory of 1404 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 2092 wrote to memory of 1404 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe imoet.exe PID 300 wrote to memory of 3040 300 IExplorer.exe imoet.exe PID 300 wrote to memory of 3040 300 IExplorer.exe imoet.exe PID 300 wrote to memory of 3040 300 IExplorer.exe imoet.exe PID 300 wrote to memory of 3040 300 IExplorer.exe imoet.exe PID 300 wrote to memory of 3052 300 IExplorer.exe cute.exe PID 300 wrote to memory of 3052 300 IExplorer.exe cute.exe PID 300 wrote to memory of 3052 300 IExplorer.exe cute.exe PID 300 wrote to memory of 3052 300 IExplorer.exe cute.exe PID 2092 wrote to memory of 2456 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 2092 wrote to memory of 2456 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 2092 wrote to memory of 2456 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 2092 wrote to memory of 2456 2092 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe cute.exe PID 1296 wrote to memory of 1780 1296 Tiwi.exe imoet.exe PID 1296 wrote to memory of 1780 1296 Tiwi.exe imoet.exe PID 1296 wrote to memory of 1780 1296 Tiwi.exe imoet.exe PID 1296 wrote to memory of 1780 1296 Tiwi.exe imoet.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
imoet.exeIExplorer.exewinlogon.exeTiwi.execute.exe5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2092 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1296 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2936 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2100 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1780 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2776 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:300 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1932 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:340 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1580 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3040 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2068 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1828 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2120 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2748 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3052 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:664 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2324 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2364 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1000 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1072 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:632 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2840 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2912 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2760 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1404 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2456 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:276 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2156
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5b80708d93cf79ad0b26c8b20c6f2a937
SHA1599d7f4267237ea8cc4ab6da7e77c4f1fb54ed70
SHA2569a86aae8bfdcd2a91e9190ac566209e65a5327242e2c723cb52f1187a88b3321
SHA5126b17f74ed6cdd36dbcf4d9c253ef0875a7bb9119df858d5edf2d15f565700e238267a973a050b3ce7f0588b5ab46025228444ab4e3afdc7453ea1392d2bbc222
-
Filesize
64KB
MD5f8da8c78fccb54b2656671c518f2a4fe
SHA17ee880fe707f002a6feda9d8e326ec2ca41a8ce3
SHA2569b579a3b16e17f40dd97b7cd41df5563fc648aa09e5d085372d286cd063f3d81
SHA512b9dad7c12a758676947c5c9c59951676410bc1a6d9464c6118a2a4c9c36489efbd01c050ec4331ad9724bd2bb5e72ee61b33dc5c3d2106942f6718e24c08fffb
-
Filesize
64KB
MD5572c70f6c2e961a38c1332db0d60f1ac
SHA11b64e41f85cba00903bccfd1cbc0b6510dae629a
SHA256968f0a6286b3d3ab2264be8d4c3774a126d4142dfcd69198272567814a2bfd7d
SHA512dc12c8106fe2834ff087473e26d2bd7638d04b2e3e0f342bd0374d7864448ec73c5a3956f3ce45d49b5cb85ddd773f04ba8d18e23340e4a18b2c47b59284f7d3
-
Filesize
64KB
MD513a90ed33d2be8cbcafc9d2059bb336c
SHA17a2bd2f1391805f344a182e48c9d81bc607dea12
SHA2560caf09ab46dca74bf3970157f29821c1f6e747e8146e7001b1ddb5c4a103bb44
SHA51236fb8f5da48841eee68ca996e7bf2aa9b7b209c6945225302d79e4d5665bb250118bbc4915dc30ccdcd0fc6b06234ca9a35d3cf74321f843c8b6cf7a48b99913
-
Filesize
64KB
MD5558e916a958fd91f2401843374b47c71
SHA14837dac64fc5724aa1ac932cd0166f1785f7122f
SHA2565abed5416dcaa45a544649be2e7d9fdde0d260513c7ed7acf8b1b19dcef68d7a
SHA512c36dd5108ca26110a52b1b3e62003105269f124d787752bb9580fe1fdfe3b8d1845920c30987c0e4c80a00ed556f2e6fccb936be1428a4ad0e119024efd7f572
-
Filesize
45KB
MD5b210083e425e53f9fbe683fc697d2955
SHA12467d66c8c6ee327bab8183e8d6cd40f7fc7848d
SHA25678671a1a313f78abead4a4851b19d910fa9135c2c946171d0df06174fd6ae8e4
SHA512b8e7f41537389af9ca872811814f8b7c8ae1ff649718c34dbfbdcf1bc5606b8388777e78af93ef84cfd2b7a19f56a994b308c062562b2e088a1f41d4f9d7532b
-
Filesize
45KB
MD51f0ef47bad5c0d148ba7f2b966d1b014
SHA1cbfe24553b6d9acd9d12a30f1d5d5de0f1323503
SHA256e294ac2172595f608cac754d844dd2335c14675afe824ade358e6585b41e09eb
SHA512ed719dfbde1182fc9cabbde2162d7cd388f6e1fdda8a501e76bd8047311b250e56eb5f94f9dbbad5309ab3edc8d0f546fa3116c03d01fe5386ee306364498b1d
-
Filesize
64KB
MD570f697e1594a66e125218642960f5704
SHA11d0788de62e1bf8d28af6b077c58bed195e64235
SHA2567186b4f924f1ac731cbe7f3d3511befdec82216fcc7f963bfb51ae07ad2e14d5
SHA51202aade5617455a43a4191fa746fa37ace72b77a6807c3a8d99f7bc0650a5f9b597e4b581bdaa7a8e73d73fe009da80e052138b14ed2767c1111d4881fb3ea2b5
-
Filesize
64KB
MD5a6cf915256d2b433c008ac5ae3778aa1
SHA12d50f9b28368142f15b003ce427e2b158be2c145
SHA256e666c6650a634a1380b45806f4e920f9f76995c2829e0045887933402633618b
SHA5121eb593096c3138baebf810dec0c58f54c86a94580a741d38f56f53bb367e96c0d77b07aaece979e82b997b2b26bb977410d60db7f61c4f4e0ff4129171b3590c
-
Filesize
64KB
MD5c6a6b42bb46e99256123369324a8df48
SHA1fe55cb43120a71c00a4353c332e967ad4fc8ab82
SHA2560e3efa742f6933da5926b2b86e53a15075e8f52b17cd4e3015c1e64eb5fe9db7
SHA5128347c5c4a1aae1585954969d53c74398d7fdecff81390a36e09e65cf48b12a472071d541315dc346c4de3fcca10d542e358554c002147ff3f90a9ab74464c4a2
-
Filesize
64KB
MD5d6875c8d18cbc403f73a1d021546df59
SHA1b4ae244271fd957d157f95c75aa58e71668f89e6
SHA2561244b42152f7da2e2e33fb964285adea0ee49e5a86841a8bbdc055a80521cf39
SHA512787d4a9deaf900cd513aa25ba503f4055b5017e7ec64de83fe8931853847346d26362036365656f6b8e81e434bac7a246a92d93e1c75047a6cb39317f1e58c8e
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
64KB
MD5e4d601b2a52d3967da3c7df849972c2c
SHA168ad17b1f4cd7ee650321eb03a1d952cb7ca1e87
SHA256b7b6edd09e370fc445b9fe251de106927c60431b333f6826d965f9aee703888a
SHA512a1440bb569dc75d2cd1984b0efc47af20aa8b81aab84708b2c1f7f47005a448fc5dfeb1e275f55cbb3625187f109bc6620dde6d43aeeb0d579b9c3d8e1716b10
-
Filesize
64KB
MD5eb9ed0c82b7e1d650328a78c0df3d23c
SHA1512f87a49fbb82e77a5439235bb142d67acfe16f
SHA256550c79c9b9464dfe0cd09f67d6adf8a497b0dda65e638e15ae66753655d3c1f5
SHA51262e3a9fa408a152aa9ca3335e490f57afe744040c890136454d74f630582a7c4ca0d11ca74ba22ab481007f9dd772417b514467b1b457a2cd4364f77f195c039
-
Filesize
64KB
MD5bb79e9d53044c165289a0386b625c770
SHA13e73cb3a3e35eb2d1c888ed542c14d0395f56460
SHA2565bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8
SHA51246a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c
-
Filesize
64KB
MD580dd739f1a3276430a8a60b5af738466
SHA13685f1bc7970efe8491f310501c8efcf9ead0616
SHA2560e0052ecea8bd13c167a03b142cff4378e968793110ac65665cd14e5c4c1a5e2
SHA51287455421d7c443746f8cae42ffbef0308287ae2e5f3086511a25c32ca9381261cc973e8e57163a1c856c9a18655d55fe871cdd673fe2f8cc9dea663db782d159
-
Filesize
64KB
MD575a2b158d6b54df989c25315428102c0
SHA1fc83e25eff360f8dc74d8878d8df86e699006f7f
SHA2568e3488908e67a9fb068efdee362d33371eceec7b07837cd7715c7851627fe7e4
SHA512f541546ec35804eaada557413039b3ed666ca96fcbf3b77779ff56b1fe492b28ec4e532fdf81c3691cd5fbd6a10a203cf4f29093107994cdf08df8fb207da869
-
Filesize
64KB
MD585f9094c8af86068dd1ac661d6b1fd5b
SHA1e7237e0d8e586c9e0a1cce45b64f7b76a7406614
SHA2565d0cf3e9a01b72af3ea7c7a32dff083e82802ff2618150fc2abdec41a0eb95fa
SHA51204f25281ecff2f22c6550f7adff49087fa159f42b60e7efa328c57c52b11f88ad6fa64a129cb0f71b190e1c241cd44616f6432f39114c54d5a13e239f11bae2f
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
64KB
MD594c521817170fc57277380ee2fb62a47
SHA143e348bd6fc8f2cc4e7355514dc19d6f7ce1aace
SHA25653e48afb5e10a31c1730b642e40a19f1dec9bcca5ce5e3348197089088edc78e
SHA5129a2042bbd546f31e38e0c48c67f2797cf2a75a20d2e93886c03a5fea20ae046e5503feb4c8cf481dc23148eb838ec638d44f599273470387d35cc81f1a492129
-
Filesize
64KB
MD56259d73f85582607a1ff1be2b3915805
SHA18d75c2d2409015392ce180cc4a5485738a6dcbcd
SHA256c5a43129aae51fd7474c20bdedda1b00a99f21f84e92ee17c1565ef2292f7c49
SHA51247fc8900669d640c8bba0db653d3ea06448319ed21e80deee048924f67319a9a10a99285fae3b40bbc7ad14549d6df59410ac7bf163ddde1249262a94bad9005
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
64KB
MD57fbb65363a2035587c6e41bd01da4541
SHA164505244f20a936c3fc2787e66fa7175e1efa73f
SHA256eba247c8207b2a391793ed6d522d82106c60922e8e9778dc383c756a647794fa
SHA512878ba5ffd46e7afb6677cde64feb170621a7687217ab2aa5838e683073ca8581214ee5e08e0de1e0a425ea468f3309fe092fa7ce53261cfcc89a4b895c9ca7fb