Analysis
-
max time kernel
147s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:48
Static task
static1
Behavioral task
behavioral1
Sample
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe
-
Size
351KB
-
MD5
bd1fca8f44921479510a72dbf1efefa0
-
SHA1
3692a07961e502f4ee266bf9a768cfc1fe03102e
-
SHA256
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc
-
SHA512
53a2814e8e9b1b6ae37e66cda5e73a55db32f6759b11807d4ffee3ebaa6efdf375f195cf982ab90791af4ddc1f8cd4631fb651c6a2248844c87f3257ce2bfb39
-
SSDEEP
6144:V/OZplTYZplx/OZpl7/OZplx/OZplQ/OZplU:V/MTqx/M7/Mx/MQ/MU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
IExplorer.exewinlogon.exeimoet.execute.exeTiwi.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe -
Disables RegEdit via registry modification 6 IoCs
Processes:
IExplorer.exewinlogon.exeimoet.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
Processes:
Tiwi.exeIExplorer.exewinlogon.exeTiwi.exeTiwi.exeIExplorer.exeIExplorer.exeTiwi.exeTiwi.exewinlogon.exeIExplorer.exeIExplorer.exewinlogon.exeimoet.exewinlogon.exewinlogon.exeimoet.exeimoet.execute.exeimoet.execute.exeTiwi.execute.exeimoet.exeIExplorer.execute.exeTiwi.execute.exewinlogon.exeIExplorer.exeimoet.execute.exewinlogon.exeimoet.execute.exepid process 2196 Tiwi.exe 2556 IExplorer.exe 1456 winlogon.exe 2304 Tiwi.exe 992 Tiwi.exe 1116 IExplorer.exe 1512 IExplorer.exe 2488 Tiwi.exe 1576 Tiwi.exe 2948 winlogon.exe 3068 IExplorer.exe 996 IExplorer.exe 2936 winlogon.exe 1548 imoet.exe 2324 winlogon.exe 1600 winlogon.exe 1808 imoet.exe 2624 imoet.exe 2292 cute.exe 2416 imoet.exe 2696 cute.exe 2564 Tiwi.exe 2680 cute.exe 2588 imoet.exe 2764 IExplorer.exe 2540 cute.exe 1552 Tiwi.exe 2020 cute.exe 1992 winlogon.exe 1572 IExplorer.exe 2352 imoet.exe 1924 cute.exe 2828 winlogon.exe 2516 imoet.exe 2240 cute.exe -
Loads dropped DLL 53 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exepid process 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 2196 Tiwi.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 2196 Tiwi.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 2196 Tiwi.exe 2196 Tiwi.exe 2556 IExplorer.exe 2556 IExplorer.exe 1456 winlogon.exe 1456 winlogon.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1456 winlogon.exe 2196 Tiwi.exe 2196 Tiwi.exe 2556 IExplorer.exe 2556 IExplorer.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1456 winlogon.exe 1456 winlogon.exe 2196 Tiwi.exe 2196 Tiwi.exe 2556 IExplorer.exe 2556 IExplorer.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1456 winlogon.exe 1456 winlogon.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1548 imoet.exe 1548 imoet.exe 2556 IExplorer.exe 2556 IExplorer.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 1548 imoet.exe 1548 imoet.exe 2292 cute.exe 2292 cute.exe 1548 imoet.exe 1548 imoet.exe 1548 imoet.exe 2292 cute.exe 2292 cute.exe 2292 cute.exe 2292 cute.exe 2292 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
Processes:
Tiwi.execute.exeIExplorer.exeimoet.exewinlogon.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exeimoet.execute.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeimoet.exeTiwi.exewinlogon.exeIExplorer.execute.exedescription ioc process File opened (read-only) \??\U: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\G: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\R: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\V: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\W: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\O: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\Q: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\B: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\P: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\Y: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\S: Tiwi.exe File opened (read-only) \??\X: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\N: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\K: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\Z: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\M: Tiwi.exe -
Modifies WinLogon 2 TTPs 18 IoCs
Processes:
IExplorer.exeimoet.exeTiwi.exewinlogon.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Tiwi.exedescription ioc process File created C:\autorun.inf Tiwi.exe File opened for modification C:\autorun.inf Tiwi.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe -
Drops file in System32 directory 40 IoCs
Processes:
IExplorer.exeIExplorer.exeimoet.execute.exeTiwi.exewinlogon.exeIExplorer.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\tiwi.scr 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 26 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.execute.exeTiwi.exewinlogon.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeimoet.exeIExplorer.exedescription ioc process File created C:\Windows\tiwi.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\tiwi.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 54 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeimoet.exeTiwi.exeIExplorer.execute.exewinlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s2359 = "Tiwi" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s1159 = "Tiwi" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\ winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\SwapMouseButtons = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe -
Processes:
IExplorer.exeimoet.execute.exeTiwi.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
Processes:
IExplorer.exewinlogon.exeimoet.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe -
Modifies registry class 64 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exeimoet.execute.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exepid process 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
Tiwi.exeimoet.exewinlogon.exeIExplorer.execute.exepid process 2196 Tiwi.exe 1548 imoet.exe 1456 winlogon.exe 2556 IExplorer.exe 2292 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exeTiwi.exeTiwi.exeIExplorer.exeTiwi.exeTiwi.exeIExplorer.exewinlogon.exeIExplorer.exeIExplorer.exewinlogon.exeimoet.exewinlogon.exewinlogon.exeimoet.execute.exeimoet.execute.exeimoet.exeTiwi.exeimoet.execute.exeIExplorer.execute.exeTiwi.exewinlogon.execute.exeimoet.exeIExplorer.execute.exewinlogon.exeimoet.execute.exepid process 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 2196 Tiwi.exe 2556 IExplorer.exe 1456 winlogon.exe 992 Tiwi.exe 2304 Tiwi.exe 1116 IExplorer.exe 1576 Tiwi.exe 2488 Tiwi.exe 1512 IExplorer.exe 2948 winlogon.exe 3068 IExplorer.exe 996 IExplorer.exe 2936 winlogon.exe 1548 imoet.exe 2324 winlogon.exe 1600 winlogon.exe 1808 imoet.exe 2292 cute.exe 2624 imoet.exe 2696 cute.exe 2416 imoet.exe 2564 Tiwi.exe 2588 imoet.exe 2680 cute.exe 2764 IExplorer.exe 2540 cute.exe 1552 Tiwi.exe 1992 winlogon.exe 2020 cute.exe 2352 imoet.exe 1572 IExplorer.exe 1924 cute.exe 2828 winlogon.exe 2516 imoet.exe 2240 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exedescription pid process target process PID 1524 wrote to memory of 2196 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 1524 wrote to memory of 2196 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 1524 wrote to memory of 2196 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 1524 wrote to memory of 2196 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 1524 wrote to memory of 2556 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 1524 wrote to memory of 2556 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 1524 wrote to memory of 2556 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 1524 wrote to memory of 2556 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 1524 wrote to memory of 1456 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1524 wrote to memory of 1456 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1524 wrote to memory of 1456 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1524 wrote to memory of 1456 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1524 wrote to memory of 2304 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 1524 wrote to memory of 2304 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 1524 wrote to memory of 2304 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 1524 wrote to memory of 2304 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 2196 wrote to memory of 992 2196 Tiwi.exe Tiwi.exe PID 2196 wrote to memory of 992 2196 Tiwi.exe Tiwi.exe PID 2196 wrote to memory of 992 2196 Tiwi.exe Tiwi.exe PID 2196 wrote to memory of 992 2196 Tiwi.exe Tiwi.exe PID 2196 wrote to memory of 1116 2196 Tiwi.exe IExplorer.exe PID 2196 wrote to memory of 1116 2196 Tiwi.exe IExplorer.exe PID 2196 wrote to memory of 1116 2196 Tiwi.exe IExplorer.exe PID 2196 wrote to memory of 1116 2196 Tiwi.exe IExplorer.exe PID 1524 wrote to memory of 1512 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 1524 wrote to memory of 1512 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 1524 wrote to memory of 1512 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 1524 wrote to memory of 1512 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 2556 wrote to memory of 1576 2556 IExplorer.exe Tiwi.exe PID 2556 wrote to memory of 1576 2556 IExplorer.exe Tiwi.exe PID 2556 wrote to memory of 1576 2556 IExplorer.exe Tiwi.exe PID 2556 wrote to memory of 1576 2556 IExplorer.exe Tiwi.exe PID 1456 wrote to memory of 2488 1456 winlogon.exe Tiwi.exe PID 1456 wrote to memory of 2488 1456 winlogon.exe Tiwi.exe PID 1456 wrote to memory of 2488 1456 winlogon.exe Tiwi.exe PID 1456 wrote to memory of 2488 1456 winlogon.exe Tiwi.exe PID 2196 wrote to memory of 2948 2196 Tiwi.exe winlogon.exe PID 2196 wrote to memory of 2948 2196 Tiwi.exe winlogon.exe PID 2196 wrote to memory of 2948 2196 Tiwi.exe winlogon.exe PID 2196 wrote to memory of 2948 2196 Tiwi.exe winlogon.exe PID 2556 wrote to memory of 3068 2556 IExplorer.exe IExplorer.exe PID 2556 wrote to memory of 3068 2556 IExplorer.exe IExplorer.exe PID 2556 wrote to memory of 3068 2556 IExplorer.exe IExplorer.exe PID 2556 wrote to memory of 3068 2556 IExplorer.exe IExplorer.exe PID 1456 wrote to memory of 996 1456 winlogon.exe IExplorer.exe PID 1456 wrote to memory of 996 1456 winlogon.exe IExplorer.exe PID 1456 wrote to memory of 996 1456 winlogon.exe IExplorer.exe PID 1456 wrote to memory of 996 1456 winlogon.exe IExplorer.exe PID 1524 wrote to memory of 2936 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1524 wrote to memory of 2936 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1524 wrote to memory of 2936 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1524 wrote to memory of 2936 1524 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1456 wrote to memory of 2324 1456 winlogon.exe winlogon.exe PID 1456 wrote to memory of 2324 1456 winlogon.exe winlogon.exe PID 1456 wrote to memory of 2324 1456 winlogon.exe winlogon.exe PID 1456 wrote to memory of 2324 1456 winlogon.exe winlogon.exe PID 2196 wrote to memory of 1548 2196 Tiwi.exe imoet.exe PID 2196 wrote to memory of 1548 2196 Tiwi.exe imoet.exe PID 2196 wrote to memory of 1548 2196 Tiwi.exe imoet.exe PID 2196 wrote to memory of 1548 2196 Tiwi.exe imoet.exe PID 2556 wrote to memory of 1600 2556 IExplorer.exe winlogon.exe PID 2556 wrote to memory of 1600 2556 IExplorer.exe winlogon.exe PID 2556 wrote to memory of 1600 2556 IExplorer.exe winlogon.exe PID 2556 wrote to memory of 1600 2556 IExplorer.exe winlogon.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
imoet.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
9Hide Artifacts
2Hidden Files and Directories
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exeFilesize
45KB
MD5354e173d35851a734daf4833c4b68762
SHA182635acadac25f46fd4543b644eea321c6178448
SHA25682f1363e07eb54f6c8bf61ce165c209dd501c21600ae36af2b8b5624307a8309
SHA512af158fbc39f9b3114546a6742699f4c12729112d607fdd28b1752509f54a25cd37807c1e63bd8287a0d1ac3dbd03414d98afa60586c0e9f7aa91b68eb5217024
-
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exeFilesize
351KB
MD5c9e4e92f83726cf56019bbe523523954
SHA1ca3e1977148fbdf3656e1340a1e95c49e963e855
SHA2568bac8c016e095f8ba63ed8b42f7ce24a617d2a787be5508dcd69322adc3e3c57
SHA5125c3132f190d9661c9b6806d3bcd7b732b75e9c7e2cf33292dbbb41e94095aecd111e1ee8cc036e2f4529f2143c6ff05bb2f9f85fde28195f1c11110548f5c4fb
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exeFilesize
351KB
MD5f33b9e3deee9255385599347c039d780
SHA194221ba2bdc08f2f53351b28f58aacf467627be0
SHA2566b79db6e80bc808f5c0242a0abaaa7c7237ee5022f9e27a567efbd2111d9365f
SHA5122edec66c1a05f647a4ed14f1ea56b01728b92fb7ba7c83273c9f65621174514aab705a19270a3d9488a31ddf39cfd12c888fcda56e486f4b55b4c2a7b3675801
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exeFilesize
351KB
MD57793e6a2eb4c9448950d6ab10226d5bc
SHA1610b69aadffbf468208b607e1743750b2145d635
SHA25667315697d881416b036366a42ff392d456d1252dab1b4113de3940c786054f70
SHA512b62d90d1b4e15ebe18e4f6c8e347f020fbae682bd1cb24077eae01f2531b5c4292bad1b53ff734822a0e914ed6d69c3b6ad29d55394f489adc4ba3cc1e9c49a8
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exeFilesize
351KB
MD5096feb2ce608089512df8f2a435204c2
SHA10138e0cda74e5c9397b2e7c951f0ff82205c6343
SHA25626aa61c79ace4544808ebdec05ab77ea79bc54b8dc2d77f272529825fe80b8eb
SHA5120b4738d2714f88828b0d816878fe178b7a5c5250c9a4b1742ff39cb0525096809e7bd5134ea2523e1c9212bbd3de40d270ae9b19449ee4a30e1e501fe060258a
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exeFilesize
45KB
MD5eecd6d3e3c9eca0e8f12cb9c49771d87
SHA1af0a8506cf5c73b1387953076319b31709f087fd
SHA25617104df03867fe96bbf20068891b9706a38300b75e25b357dbf8e4130fe6f52a
SHA512627955cb486be4c380c95b542297250f8f390b967855466003c8f70d513aec2b0a93963b44e4938c48b85735c29a653db4263b3c7ba0ff51159eb8409b5fc035
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exeFilesize
45KB
MD555ed0cce4e5412363bab6c818d23c0d3
SHA1c4caa3b6bcf45453b22de59ba3cc4080f12591cb
SHA256319a9af9e1a3fb0c9c209530ad132343e945bfb340b8ccd657854b72312b0ee0
SHA5128fdb3845183b3b5fd9450d5e132c3d0b8a8f140e3278816aefeec46a27ed202e75d1ae57a1a7ad0c1dcbf7918fec07f0f8418cde8d8bf7a7ff506c3a80e181cc
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exeFilesize
45KB
MD59657f614ddcd287968a7f34fbc82197b
SHA1e0f0c01e2688f2f005e2a6928c6e00931292794c
SHA25620a5f0d031ffb4b85b63fdc78b0fa5d2d078b933eae55567536f74e905d22ece
SHA5124cc1923137680a1d0b5288128610f0e5d776b31ac0a44187b3e257651283e1b541219f499893d2ae7dd74f8a1fb36213acb7154d766dc4d9a6f3e2be1014b02b
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
351KB
MD5dd2e2144f8ef55eb78ac132765cf8465
SHA11ce3eb2400c227fb3f6c312ac3addbcc855a6477
SHA256c4fe170f992d8be97bd3be3354e0831335266f232be169ae7a473e7a65890ae4
SHA512748299998eb261f33f8c0e2e8e9499858f6dd5672cae4891deec5329f0391b511b8f0a9ae1266163c7fefd3a03d69b17574b4c8a1832d9b0065146102ed17b4b
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
351KB
MD508ba23a35de5db1eace24673e63a3ba7
SHA13038b34f2ad6b23ed49fdcb43ca49402ca8adfda
SHA2567534d4f1cbe3021c27249f1ed5be663707260fe07350a9de78ad0074d8316664
SHA512b654d2cc9186a575f737198dd00681ff421cf3b7f740b86e1153c87efb388bd7af76edf87a6b2e15e11ac753cb8c5c47da24c6b719474456095b195d34837fee
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
351KB
MD540a3b510f2901487b544ba4851cd3996
SHA1cdf5eafd6d843ed9cf57e639e969daeffd7af76f
SHA25641c97bc646f6ee99cb14aa05eb1cb44f023a018093a273a68c8974df25262fa5
SHA512098ed253dc6051f106eddf3109cf956ba17b2c8c9c294593f9320bb37ea7e4d0c704a82566a8fdb175d293bedcb8bf4bbd4f5ecfee8a1516be9a9be574532424
-
C:\Windows\MSVBVM60.DLLFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\SysWOW64\shell.exeFilesize
351KB
MD52dbf1a5541e3f21cabe28f52cccc54d4
SHA1f3e6dbd1aabb48fcede1f0865177870796686b6d
SHA25651f7e1257c9e8fabb98ee9cc575c7b3bd3107e9ec2bbf719cc860caf64dbc401
SHA512c81f12cdd5e86dfd1c21d17311375ec426954820516293c3053c619489155ca9ed1c40fd441b1cb0643300e876866807af37c9eacf541712532d53a4d52571b7
-
C:\Windows\SysWOW64\shell.exeFilesize
351KB
MD50a5b3d44a61c5c1278aa9359d9e3c797
SHA1a55963b5cc94ce175414db3ff83488676ba7eb08
SHA2564810e62e835f5c4346cc96331c5e71ccfe537fa8c0218bea6fd3199daf00e239
SHA5125aa4149c07f1d97cb4da6b1c4359971302ec064b2453362856665897253df81f8168d692a9ed325d2e54d7274cee6eb159364cf352432c4ba9b58f8f5d529951
-
C:\Windows\SysWOW64\shell.exeFilesize
351KB
MD5feec16136c110604840cb08cc07dd972
SHA1c2fceb99a211a115760d3c49d79695b1d63ba5f7
SHA25672e5b6f8a4bce2154978ec45fa159dd50070c140500abeed6dc6dbca595714bb
SHA5124287664784d68790c00ab569f53f80cde9a404aa74a829af0f0907a29475e3bb74ea8205eeb0b3b778083c793ca89ca111dfa15764cc7e8e53ee3074ee3312f1
-
C:\Windows\SysWOW64\shell.exeFilesize
351KB
MD5bd1fca8f44921479510a72dbf1efefa0
SHA13692a07961e502f4ee266bf9a768cfc1fe03102e
SHA25633376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc
SHA51253a2814e8e9b1b6ae37e66cda5e73a55db32f6759b11807d4ffee3ebaa6efdf375f195cf982ab90791af4ddc1f8cd4631fb651c6a2248844c87f3257ce2bfb39
-
C:\Windows\SysWOW64\tiwi.scrFilesize
351KB
MD5f42e8960735ca3b59e1eb119c518842a
SHA16917ab2b0d895021336e80b4ebfa72d290d93073
SHA2569de49f102008eb68d27e28f8c249924dd88467d8ccd06db4756aa3da3868d68e
SHA512eb0f473386cae64146261c0821bfbf9bb13b12c1899964d57356971605782f1f58188210c8374082a750c33f180fd47b993c09dcb4a4d2178752c09d423d5bd1
-
C:\Windows\SysWOW64\tiwi.scrFilesize
351KB
MD581dc638933ce6f34ac663b73e69f3c1d
SHA1c86aaf1b0988dbfd97a523bb09dac9d24ecde5aa
SHA25652c773f6b64342df658d154b98d0d25d774c01d72f0c1a3865faa14d98b4bf18
SHA5129fcf7d7c7b1f214e1fee6d7a252f770f8dcdea804929bf48b1ef8fb71eea8588bd5e2217c1f5405f46b35c61365affbcb671519cd7312e72c734e3ea8c1a7248
-
C:\Windows\SysWOW64\tiwi.scrFilesize
351KB
MD59a10ca26099770d6bf49e6330d6787c2
SHA1fd4e6d796a431111d092af2bc940552d68cfef48
SHA256fc011b81ff285cc9ed42f1cc81a90b2d86729bb9dbb173af104d2ef13aadc4fd
SHA5120273994073c2ac90683aca5244fd70a80614da2e2cb482819915036cfe397cd67f987610956caff931ebe957edd2155962af90fe6e0c5ff5e77fa91920b452aa
-
C:\Windows\tiwi.exeFilesize
351KB
MD517dfb639cbf87bd64b54338cc6e06033
SHA1834521b914249bce2d0f087ad368c2e894809bdf
SHA256879b9910fbcafa03e07642b12e3c5ff7b014445ac465a845fb277e7eafda65a6
SHA5127ab24158f99f44ce57bbf6d04711b9875dc160663db6a22ef8e9178adcf496b31875a57faec25f1176d7301f422baab5c68730eaee94e389ffe57d52cb0bda73
-
C:\present.txtFilesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
C:\tiwi.exeFilesize
351KB
MD5a2650b2ad76fcc1c07c07da44d1846d5
SHA15de5edc9601a5dde2bf5111e245a3073114389b3
SHA2564d4b18d9a5a42a8793f1192547e26490e5c1dabca8d81c1280047d013b61f87d
SHA512929e0d497e223fd5b6db45191b9fc38bc79a133f1a22bb69c00de8b0bc3182e17a135bd646e2d4230c13b092c82c64eb75bccb8f4034855f6323b0fa4e36a9ea
-
C:\tiwi.exeFilesize
351KB
MD50577d34d04fa1e89f8e54264352afbc0
SHA17f719c2befd1d3494364f2d2e1403f4617341644
SHA25609b4746a49551b1c1cd7507beae81ddbaa3551c15fe68a86c600d9947252dd1f
SHA5124e67df8b0a5e7e9ef1346cd7822280e67b7a5b8d5b2e4aa39d1c05df753641e145449d65152f388df1e573f8f627ae63d0d1e3b0cc14ec5ce29d5a6ad12f39e0
-
C:\tiwi.exeFilesize
351KB
MD5a725fcaadd25990835b89f6a798ad641
SHA15fe88fcd53216f0c25fca9551c4de777588cbb67
SHA256f42b4c42eb13ba45c0c03c51ca9ffc9f714028e17ae6ee6bdae0661ea280af20
SHA5126030363427675538f426f75d479089cff9eb0f59050b0690307e3263d2cea1f3d69fa3f9ed7327359de6111a76e635ece6772268d239e9920692156bbbaaf81b
-
F:\autorun.infFilesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
\Windows\SysWOW64\IExplorer.exeFilesize
351KB
MD5273dfe32b34aee34e040c89494cd61f0
SHA16e169084af17caccbc7255cec417a2910b174115
SHA256aa1d7bdbe0351177cf70d6c67a8be67a275fa13a48b3902a685d0a77a0a7db83
SHA5124c9dd6ee9a1c8362c9e08e2d0d2532989178455ffd313bfae37fb7bed442c284116c08ac034bf576269052636393d0127a7f47a30ff0d9d8421de62ef8de7b08
-
memory/992-234-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/992-217-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/992-233-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/1456-125-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/1456-455-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/1524-0-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/1524-110-0x0000000003820000-0x0000000003E1F000-memory.dmpFilesize
6.0MB
-
memory/1524-124-0x0000000003820000-0x0000000003E1F000-memory.dmpFilesize
6.0MB
-
memory/1524-108-0x0000000003820000-0x0000000003E1F000-memory.dmpFilesize
6.0MB
-
memory/1524-123-0x0000000003820000-0x0000000003E1F000-memory.dmpFilesize
6.0MB
-
memory/1524-440-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/1524-174-0x0000000003920000-0x0000000003F1F000-memory.dmpFilesize
6.0MB
-
memory/1524-99-0x0000000003820000-0x0000000003E1F000-memory.dmpFilesize
6.0MB
-
memory/1524-230-0x0000000003920000-0x0000000003F1F000-memory.dmpFilesize
6.0MB
-
memory/1552-435-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/1576-322-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/1992-437-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/1992-436-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/2196-229-0x0000000003860000-0x0000000003E5F000-memory.dmpFilesize
6.0MB
-
memory/2196-232-0x0000000003860000-0x0000000003E5F000-memory.dmpFilesize
6.0MB
-
memory/2196-445-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2196-456-0x0000000003860000-0x0000000003E5F000-memory.dmpFilesize
6.0MB
-
memory/2196-98-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2304-231-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2304-175-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2304-235-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2416-400-0x00000000002A0000-0x00000000002B0000-memory.dmpFilesize
64KB
-
memory/2416-401-0x00000000002A0000-0x00000000002B0000-memory.dmpFilesize
64KB
-
memory/2488-330-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2556-454-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2556-111-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2564-404-0x0000000072940000-0x0000000072A93000-memory.dmpFilesize
1.3MB
-
memory/2680-407-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/2680-408-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB