13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Size

384KB
MD5

b4f8597636f01b29ead992b7beda4b56
SHA1

baf39a69fe0e0fb907251caad32678e1d406f500
SHA256

13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c
SHA512

05dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390
SSDEEP

6144:V/OZpls/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZk:V/Ms/MP/Mx/M7/Mx/M4/MpBE/z

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
2648	Tiwi.exe
2916	IExplorer.exe
1968	Tiwi.exe
2476	IExplorer.exe
2616	Tiwi.exe
1344	winlogon.exe
1592	IExplorer.exe
1032	imoet.exe
2216	Tiwi.exe
2040	IExplorer.exe
756	cute.exe
2368	Tiwi.exe
1576	winlogon.exe
2516	winlogon.exe
1752	imoet.exe
1228	IExplorer.exe
2832	Tiwi.exe
2316	imoet.exe
2672	cute.exe
2768	winlogon.exe
2904	winlogon.exe
2088	Tiwi.exe
3040	cute.exe
2172	IExplorer.exe
1496	IExplorer.exe
3024	imoet.exe
2968	imoet.exe
2980	winlogon.exe
2972	winlogon.exe
3004	cute.exe
2624	imoet.exe
3060	cute.exe
2700	cute.exe
2956	imoet.exe
1968	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
2648	Tiwi.exe
2648	Tiwi.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
2916	IExplorer.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
2916	IExplorer.exe
2648	Tiwi.exe
2648	Tiwi.exe
2916	IExplorer.exe
2916	IExplorer.exe
2648	Tiwi.exe
2648	Tiwi.exe
1344	winlogon.exe
1344	winlogon.exe
2916	IExplorer.exe
2916	IExplorer.exe
1344	winlogon.exe
2648	Tiwi.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
2648	Tiwi.exe
1032	imoet.exe
1032	imoet.exe
2916	IExplorer.exe
2916	IExplorer.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
756	cute.exe
756	cute.exe
1344	winlogon.exe
1344	winlogon.exe
756	cute.exe
756	cute.exe
1032	imoet.exe
1344	winlogon.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
1032	imoet.exe
1344	winlogon.exe
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
756	cute.exe
756	cute.exe
1032	imoet.exe
756	cute.exe
1032	imoet.exe
1032	imoet.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\P:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\X:	imoet.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\H:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\S:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\I:	cute.exe
File opened (read-only)	\??\O:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\U:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\U:	imoet.exe
File opened (read-only)	\??\J:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\S:	cute.exe
File opened (read-only)	\??\W:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\J:	Tiwi.exe
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\G:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\R:	imoet.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\M:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\Y:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\Q:	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\L:	cute.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened for modification	F:\autorun.inf	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File created	C:\autorun.inf	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened for modification	C:\autorun.inf	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\tiwi.scr	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Mouse\	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2648	Tiwi.exe
1032	imoet.exe
1344	winlogon.exe
2916	IExplorer.exe
756	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
2648	Tiwi.exe
2916	IExplorer.exe
1968	Tiwi.exe
2476	IExplorer.exe
2616	Tiwi.exe
1344	winlogon.exe
1032	imoet.exe
2216	Tiwi.exe
1592	IExplorer.exe
2040	IExplorer.exe
1576	winlogon.exe
2368	Tiwi.exe
756	cute.exe
2516	winlogon.exe
1228	IExplorer.exe
1752	imoet.exe
2316	imoet.exe
2832	Tiwi.exe
2672	cute.exe
2904	winlogon.exe
2768	winlogon.exe
2088	Tiwi.exe
3040	cute.exe
1496	IExplorer.exe
3024	imoet.exe
2172	IExplorer.exe
2968	imoet.exe
2980	winlogon.exe
2972	winlogon.exe
2624	imoet.exe
3004	cute.exe
3060	cute.exe
2700	cute.exe
2956	imoet.exe
1968	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2648	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	31
PID 576 wrote to memory of 2648	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	31
PID 576 wrote to memory of 2648	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	31
PID 576 wrote to memory of 2648	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	31
PID 576 wrote to memory of 2916	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	32
PID 576 wrote to memory of 2916	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	32
PID 576 wrote to memory of 2916	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	32
PID 576 wrote to memory of 2916	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	32
PID 576 wrote to memory of 1968	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	33
PID 576 wrote to memory of 1968	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	33
PID 576 wrote to memory of 1968	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	33
PID 576 wrote to memory of 1968	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	33
PID 576 wrote to memory of 2476	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	34
PID 576 wrote to memory of 2476	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	34
PID 576 wrote to memory of 2476	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	34
PID 576 wrote to memory of 2476	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	34
PID 2648 wrote to memory of 2616	2648	Tiwi.exe	35
PID 2648 wrote to memory of 2616	2648	Tiwi.exe	35
PID 2648 wrote to memory of 2616	2648	Tiwi.exe	35
PID 2648 wrote to memory of 2616	2648	Tiwi.exe	35
PID 576 wrote to memory of 1344	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	36
PID 576 wrote to memory of 1344	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	36
PID 576 wrote to memory of 1344	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	36
PID 576 wrote to memory of 1344	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	36
PID 2648 wrote to memory of 1592	2648	Tiwi.exe	37
PID 2648 wrote to memory of 1592	2648	Tiwi.exe	37
PID 2648 wrote to memory of 1592	2648	Tiwi.exe	37
PID 2648 wrote to memory of 1592	2648	Tiwi.exe	37
PID 576 wrote to memory of 1032	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	38
PID 576 wrote to memory of 1032	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	38
PID 576 wrote to memory of 1032	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	38
PID 576 wrote to memory of 1032	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	38
PID 2916 wrote to memory of 2216	2916	IExplorer.exe	39
PID 2916 wrote to memory of 2216	2916	IExplorer.exe	39
PID 2916 wrote to memory of 2216	2916	IExplorer.exe	39
PID 2916 wrote to memory of 2216	2916	IExplorer.exe	39
PID 576 wrote to memory of 756	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	41
PID 576 wrote to memory of 756	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	41
PID 576 wrote to memory of 756	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	41
PID 576 wrote to memory of 756	576	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe	41
PID 2916 wrote to memory of 2040	2916	IExplorer.exe	40
PID 2916 wrote to memory of 2040	2916	IExplorer.exe	40
PID 2916 wrote to memory of 2040	2916	IExplorer.exe	40
PID 2916 wrote to memory of 2040	2916	IExplorer.exe	40
PID 1344 wrote to memory of 2368	1344	winlogon.exe	42
PID 1344 wrote to memory of 2368	1344	winlogon.exe	42
PID 1344 wrote to memory of 2368	1344	winlogon.exe	42
PID 1344 wrote to memory of 2368	1344	winlogon.exe	42
PID 2648 wrote to memory of 1576	2648	Tiwi.exe	43
PID 2648 wrote to memory of 1576	2648	Tiwi.exe	43
PID 2648 wrote to memory of 1576	2648	Tiwi.exe	43
PID 2648 wrote to memory of 1576	2648	Tiwi.exe	43
PID 2916 wrote to memory of 2516	2916	IExplorer.exe	44
PID 2916 wrote to memory of 2516	2916	IExplorer.exe	44
PID 2916 wrote to memory of 2516	2916	IExplorer.exe	44
PID 2916 wrote to memory of 2516	2916	IExplorer.exe	44
PID 2648 wrote to memory of 1752	2648	Tiwi.exe	45
PID 2648 wrote to memory of 1752	2648	Tiwi.exe	45
PID 2648 wrote to memory of 1752	2648	Tiwi.exe	45
PID 2648 wrote to memory of 1752	2648	Tiwi.exe	45
PID 1344 wrote to memory of 1228	1344	winlogon.exe	46
PID 1344 wrote to memory of 1228	1344	winlogon.exe	46
PID 1344 wrote to memory of 1228	1344	winlogon.exe	46
PID 1344 wrote to memory of 1228	1344	winlogon.exe	46

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe

C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe
"C:\Users\Admin\AppData\Local\Temp\13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:576
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2648
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2616
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1592
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1576
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2672
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2916
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2216
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2040
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2516
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2316
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3040
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1968
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2476
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1344
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1228
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2768
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2968
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3004
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1032
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2832
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2172
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2972
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2956
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1968
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:756
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2088
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1496
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2980
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2624
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2700
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3024
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

Filesize
384KB

MD5
196e7a85854760e012407f6ef6e7eb12

SHA1
d4a500a3fe26a11133841e4138f179111f219bf0

SHA256
8c28a9bac4706f61107a1817fd099f091970a6d654073b50ce2cf4d1a9b79d71

SHA512
88fc4f6159b3dd88311f72e813b9c0df86368231711d0e71eb32814b8943d9690a423703de6bf6c55889b7ba8cee63a2ae5c243f05dbbc1afb685b3b28d3240b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
b10aefaf178baa5fbb3449aba471ab4f

SHA1
230d9fe6373dace7445569a5535657c6facac4d4

SHA256
74ef58151e574ff11fa654c78a21aa48fb4d7380fb35d03502b86c6df582f7d8

SHA512
db3532aee9a6714658387ad25346e81a5a6f3d7946ef21a731e12526b59373a290a2381e188b9714ce7e041305911c9b2f8e1221038ab76b84e73a187a9fad9d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
384KB

MD5
82e7b29ce24a08fd104522c3ee15b503

SHA1
da26f8347900b6922bc077d02d8e0fd6781a2885

SHA256
0a4ec4c326e0a3f41175d132c9c93a7071624442e2fac91f391a16f6fc044595

SHA512
41c908ee2b9a7a326efd54a6dc703ca328bf070bec5c14be9cf230e04e5abbc5de4f902f875444c67e1cafb6254066f8d8c7999ef5a67408f774cc263305b8ff

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
384KB

MD5
2d982bf6fa76e3b6994c23e1162d7fc1

SHA1
df56a54a17cf74b86b45df2acbe91feebba3e86a

SHA256
1ff87af1fd6b386db1597154abc34066d8371ea3423d38a31ed5b77fc3920d3d

SHA512
bf2c7659f351d213c2a9d67553a294f7e63bf4b8d35c526d3c0e206a3bbd5e2f92a650b0415904e37ddd120d340fe8b102ef68ecd7cd0f31b4c1d8aea312050c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
a5d6820efdaa598fd9f4571febe48392

SHA1
59112d000bab37eaba512422b132635d7d2a48ad

SHA256
ef37ac4c59e7c640abd1c043a698abfba3ecf09008536ec90065224d39c90ddd

SHA512
9605a98a0cbab6affc0befa94bbb83acd4c20250c97b437295ba35d46f358da18c1c98fcdd7dc7c4405b6bf973ad6695ea33d15992e847e83762ec5fcb461296

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
b32f0a88d69bb1847a6ae115b484844b

SHA1
3bf1f54228802a95160843119d97d132171cd152

SHA256
58789ea6af34c79408817a694aeba65e560eddce0a36407c715ec2cdec1a9a0d

SHA512
223a2595b29abe87b4254d9dce9993cfb4acd6a5101568e9ab29b184b8799bc561e42ea4e32e7d59ed8d7513839be07e67494bb1cc3b13e80285cc34172dcd83

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
ba8d5bd7d2c7c43115f754e9f495dd69

SHA1
b315a0543fb585fb99998d7f607e1645dcdf8b26

SHA256
dfef9c1315ade0218164cfda92b64fc2980568ba753aa17ae0e34ed43f635a66

SHA512
43340730f8b56bf6ddcc5b3c07cc1cf596ef70c6087191ff39b737b99c3810e536ff2b6baab8ad466b840d2a3825b336dfa1e527099e3e750f1ecc018dbf65ce

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
384KB

MD5
56b8f1d39e1a5208abde3fb3cf1843ae

SHA1
6b02d9cafdb32adfd4aebdbe8af510da55d4ce3e

SHA256
e3944172f375ddce1d4aa9538ea6a0beeec57621ae479a1a2f544b47847708a8

SHA512
b2ea42649dfe711479f9a2e67c9677c51c05908078f76258f86e9be4efedeff18f87889cd5096c71f67f466103cdcd7c31ea8cf54721d1398b7451b9ee857b0f

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
384KB

MD5
929d2655084f6769dc7a0e0a08d3f0b6

SHA1
a828b09f6787491aab163d46c482062d1d19fe72

SHA256
c01844f62020302d70e4504e5f4e94cc5b617b1b2bcc49e81c7363fc072a08a2

SHA512
61737b54d734f28af2440e46650a9827df71f6c6f878ca86f44b51b795390860d93c1db73cac9435a34b490c0a67ce0805d0682153228acaf6738d3ed5df0732

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
384KB

MD5
cf4b9d8955d7d36703b079ce311684e8

SHA1
bea00acab13f50972ad1345283d89463447a87f7

SHA256
42070b3d2fcd4589ff1dfb017c1284297a2dfde6bfda8a9555cf54841a9c3fd7

SHA512
f861fa1dfa665acd640766d2cece3b0cc3fa4a6b524020ebf111993c28171984a8d882e8f01fdc16fcd475681fa7041848b99afec46758a2a5fb9e172e3c6edd

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
384KB

MD5
24705a25f88b59f73ddda683cbe7e66b

SHA1
eb525aede618e37e605bf7c9e7cb20c9174a85a5

SHA256
dbd6aee70c604fa3f057ec806c4415b5b7a4930bf0f5e017b755aa7b713a0329

SHA512
2ff3002d601d03e8768c8b33154b015d3f582f7d04857c1b64f16a1a682ebbdfb12585013ab72162af6411f7b25f44f9786249b60862154181e0284dd715884d

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
384KB

MD5
39f7e73e81276d617d0ac8e2cd85b2f1

SHA1
e9976098ecb8416833b84668d92dfb2cb2d52b00

SHA256
113b738938962542511c5bd12113c78c967efd9b2349e8e5f71b7b646e625325

SHA512
dd5e1424b5ce3cbc9b0dce56b96e788ed01a91854586b844dcc3daff20082931244bf9012644eebe76e740f6b4d36d96fbf1ac3a42bdfc2262bc48050bef7855

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
384KB

MD5
9f985d7e37d6889f286547e9a11bf9f8

SHA1
4a216ba74584b2c3ea2e66537635e5dc96c3b7d0

SHA256
bf1fc1540d1fb2c75175ef22abd73bf8a16932130f6cbf46147faac2020ed625

SHA512
5d35febaab8f136b9458ffe0e6a69cfa6fca6f6b6b1c3caf9cb2043231a71b388068ded8ecca69fb42c012f88c13893e2dff37911748ec4ae85580b5e262a5a6

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
384KB

MD5
f015d26c241680f668134d6350e01ea0

SHA1
8d71f842796b55ec5084901ac6dc66577ebe156c

SHA256
cef324c658e379a844155fde5f153db20fb33292a26e7b6a84a60750b357754f

SHA512
9af6736b3110174d0393059942d5c84780197a02c978c0ddbb518b88f75138023d21bd21ad580efd8a394bc636687ffef415ed0c07f47cf9679db45dd1d98a10

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
384KB

MD5
b4f8597636f01b29ead992b7beda4b56

SHA1
baf39a69fe0e0fb907251caad32678e1d406f500

SHA256
13b1ccfef5d5c9a927293d1b9335eea95612d47999b327382311354a95d1ea5c

SHA512
05dddcef58aba6531ec66c8d8c2a4ef45a942ac6f5436d0fabccdc9895e1eab39a1a3c68fc9bfe8ae9eafb2e222713977d1a6130f78450198baad6394894e390

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
384KB

MD5
d3efc28a1eed67a98da0f1fe683d5885

SHA1
020a80d6ba591cfc612165bd2356269ada9dea87

SHA256
d640e2c4362855ae2030e8374fabb83c26a88b3bf93e193eff4315231edd3a01

SHA512
bef10a86e48414d6b5144f6939e7589404d4236f7c1971b367e62e4c2b34e306ed4d100111c2c86c16daffc9ad2665cf3f81f648ccc92ae619742185c221e457

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
384KB

MD5
f22ae70cac4604b995fb30320933235d

SHA1
48a50b4ee5b77c320ec73eb4eddad6ec7b858f89

SHA256
dc53b11b300b02749f2c0823086336722631da906d20b7f3f7eca224fe82d44d

SHA512
7e92e92f94c97e76264512ff58396528ad59f402f0c1ab6517b640074f2f1bb30b5dff2c85b6d6449ff893aa9b1063dbef3b958cf318f5b684c2c627fd8db22a

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
384KB

MD5
f597168456d10139d4eb5c42f9d7c98e

SHA1
99d4075d1f3b5b27519bc55d3e5738d8d39e40be

SHA256
ab18c999ee475bb516c5faba6363f05558c403dd47ef661611036614e7fed180

SHA512
0246eaebcd7682a14b8aff608a99a95d17756ba16cb5461081f68eec059ecfd1a9b5aff0ec5b9150912907e6d0cb1889cba6ab2e9cf07cd4475d79e2a2149568

Download Submit
C:\Windows\tiwi.exe

Filesize
384KB

MD5
5e99921635a308ee76bac745c1d44f21

SHA1
80ba23cce41b868e0f9e232a00d7de31d3b526c8

SHA256
6944172baa1bed38e91e3bfe33c2155a4ee42b8c9628de5e291de10cb3037a2d

SHA512
08ac086508ee7118d955b76532d56a9016084a56675d74da775d8de5a0c152c8b63c6dd8e8b21d12c5a6dca4efca98a88ff27b5f3c0c6db26f91b9349eda6505

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
384KB

MD5
0e117ee14aeb081f0e2ef7020fc66718

SHA1
58ba4888f8a08f11d60266f9afdd34d3c38b1aee

SHA256
f972d92b58a5f28d54bbc5d5e39e64143c4ca59bb305173dc0f04e54d4e8c914

SHA512
14ecd6c107d6e07a80026f5a28251832c15e77caf1cd2d41242e00082ea1349caaeff3d333871a96851afc82e0bcb7114753fdd7680242189233c9a69f678e27

Download Submit
C:\tiwi.exe

Filesize
384KB

MD5
acc05affc33f693b00563e3cb2edf6b0

SHA1
335d3c61948a1e3f852ca893b897a324ae045928

SHA256
769309fbdc2ddab46890239c5b9a06565728a91692f7f171e35946f2d4ba5820

SHA512
afc8caeb87a91cb0efc08d5497070bfc1bf0332cd119f03d1158def8d470eee29b7b4b78f1a12b9ad8218670a3ae4d3bb756330365a140b744dcedfa89db6a6b

Download Submit
C:\tiwi.exe

Filesize
384KB

MD5
9cafd1a626fbf22fec02ca304efd0a26

SHA1
03c0db24f6441c2428f9501ccc202ab872d45ca2

SHA256
ef55808e584c2bbf3f9802c6dd24a3d50534c120e9559954c5268315e5cccf27

SHA512
db402b0e9941d0f177f689a8a13aeef57754455a400da0cb2f46e8f0657d9039646ce16bbfd41a67d6e2b1327e764a58b165d34118d6d2ea169d42f5052eee36

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
384KB

MD5
b590c11a814407928f7be83677eeae17

SHA1
1feb93614af11964a4c6cbf58f81fd0104d0b028

SHA256
e0140f0803298bdf4cf240596a2430ac5c5621de606bb0d7a76d1c2e8f0a9fbc

SHA512
b3e64ae4ba14af12856fdb3df117c3188ebf0a29ea644daf984d4483f4dbb0be6278f54a6a3802d721fe9f6482666f3dbb21495c102d2cfbc506ebb5b66e3a01

Download Submit
memory/576-248-0x0000000003720000-0x0000000003D1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-177-0x0000000003820000-0x0000000003E1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-438-0x0000000003820000-0x0000000003E1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-373-0x0000000003720000-0x0000000003D1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-111-0x0000000003720000-0x0000000003D1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-176-0x0000000003820000-0x0000000003E1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-242-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/576-164-0x0000000003820000-0x0000000003E1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-243-0x0000000003720000-0x0000000003D1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-109-0x0000000003720000-0x0000000003D1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-447-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/576-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/576-98-0x0000000003720000-0x0000000003D1F000-memory.dmp

Filesize
6.0MB

Download
memory/576-246-0x0000000003820000-0x0000000003E1F000-memory.dmp

Filesize
6.0MB

Download
memory/1344-247-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1344-454-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1968-180-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1968-179-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1968-165-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2088-427-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2216-293-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2368-345-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2476-231-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2476-178-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2516-343-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2516-344-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2616-232-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2616-233-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2616-226-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2648-244-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2648-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2832-420-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2916-374-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2916-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2980-436-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download