Malware Analysis Report

2025-08-06 01:26

Sample ID 241109-gs5mgasjfl
Target 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN
SHA256 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e
Tags
discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e

Threat Level: Known bad

The file 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables cmd.exe use via registry modification

Disables RegEdit via registry modification

Disables use of System Restore points

Disables Task Manager via registry modification

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer start page

Modifies Control Panel

System policy modification

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 06:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 06:05

Reported

2024-11-09 06:07

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\O: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\B: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\J: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\X: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\U: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\R: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\I: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Y: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\Q: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\M: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1788 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1788 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1788 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1788 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1788 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1788 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1788 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1788 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1788 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1788 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1788 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1788 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1788 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1788 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1788 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1788 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1788 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1788 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1788 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1788 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2588 wrote to memory of 2984 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2588 wrote to memory of 2984 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2588 wrote to memory of 2984 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2588 wrote to memory of 2984 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2588 wrote to memory of 892 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2588 wrote to memory of 892 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2588 wrote to memory of 892 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2588 wrote to memory of 892 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3044 wrote to memory of 2464 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 3044 wrote to memory of 2464 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 3044 wrote to memory of 2464 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 3044 wrote to memory of 2464 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 688 wrote to memory of 2192 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 688 wrote to memory of 2192 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 688 wrote to memory of 2192 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 688 wrote to memory of 2192 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 3044 wrote to memory of 3016 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3044 wrote to memory of 3016 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3044 wrote to memory of 3016 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3044 wrote to memory of 3016 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2588 wrote to memory of 1580 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2588 wrote to memory of 1580 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2588 wrote to memory of 1580 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2588 wrote to memory of 1580 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 688 wrote to memory of 548 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 688 wrote to memory of 548 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 688 wrote to memory of 548 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 688 wrote to memory of 548 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1788 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1788 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1788 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1788 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2588 wrote to memory of 2148 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2588 wrote to memory of 2148 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2588 wrote to memory of 2148 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2588 wrote to memory of 2148 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 3044 wrote to memory of 2240 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3044 wrote to memory of 2240 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3044 wrote to memory of 2240 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3044 wrote to memory of 2240 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe

"C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

N/A

Files

memory/1788-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 2b9ffc7e6cd8b47925aea8d5bdcb6d00
SHA1 ed9bbedb791fad104e93a47ff059f0b1efbfadaa
SHA256 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e
SHA512 78b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69

memory/1788-98-0x00000000037A0000-0x0000000003D9F000-memory.dmp

C:\Windows\tiwi.exe

MD5 b28eb006babeecee38422ee4e4993e97
SHA1 c844cfb07ef81131a86d7ea7ce5717e01dcb04b3
SHA256 39b3e18dabfff92fa7a844d0577d73ef4ab027ec7b22261bd09b6a51fd03536a
SHA512 0455c420ae5a69a9861b9962f8ec9c550059e12d916dde320785db94fed93377607a02c0713c9891f25c34b7e3d224a5f3aa72841891cfcd5e8482a774ae1176

memory/2588-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1788-109-0x00000000037A0000-0x0000000003D9F000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 655a71d6e2d950c3cf12c3b773ddd865
SHA1 921a47bb2f52ef8a0d4172788ef8bfa70f806d47
SHA256 b8c8cd83fabd18c3162351789f64a21c63eaf2bec67d39b53cf88bb5ad965ccf
SHA512 adf8ec7a576ec2c8f462132b0293a0137a4936d5aa0cd5787df61401bb5844aec7a25502b4b7c61bbdf2cfef13f460d01aec17f9dad0695659d3069f10e933ea

memory/1788-111-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/3044-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 51d62c81078ec535f9445649c9f610b0
SHA1 d0c0a4f80c2e793224260235c8b34952f4640aac
SHA256 c4c3c3f6dabee86a70318b62010b05346cf330553866ed78d07751b962fb1db4
SHA512 f8a22670cbe05806f2471059ea8c3f51ce45011a83e3dd7d87f9727a4e1e34c1ee8f8f41f9c938928cbbe75eb349467640226fd943525ed2795660cafa7c5b08

memory/1788-124-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/1788-123-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/688-125-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 b4f12dfe876d5505f76e24ca9189fa88
SHA1 697c3acbf7e8261ec8487748e78f08fd9ab4bb63
SHA256 355fb78238f3eb1ae4b45c74ec061d765a9fdeded0b19844884ee22395ed7178
SHA512 310b0af1050b2a8785d3998ca0890b10b82a3432d5158966a3772320ee4b84f8b2090ff230b2e5932723a6cbeb603e8c35ccd7af0ea090fe4797d37bd3cd1526

memory/1788-175-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/1788-176-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/2024-177-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\MSVBVM60.DLL

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/2024-183-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2588-235-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1788-234-0x00000000037A0000-0x0000000003D9F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 e0f006a7348bf3184ca33d694d98c338
SHA1 3ce38e16355f8863be1e70e851b2df12cf22079c
SHA256 5f711e45b3d73e037cc14dce6780f9a8b91651d0d30706fad0b042e17d3dd029
SHA512 0bacabbcf72fc2bae1bff1dc1ff822ee7039a974185ed394b28caa1c6c845335569add8e69d22b1281cff2463ccdbe8ea0b1adfd3a4a7389a70ec7bb8ac14f92

memory/3024-233-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1788-232-0x00000000037A0000-0x0000000003D9F000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 3a0757d322b78eecc778c09245928128
SHA1 805af3f2d0656890e5550fa3b7a65db96be199db
SHA256 629cb5ee62ab19502213a6236a4a9a3ce850f53efe95986407704cd1401aa715
SHA512 2ffb6e8acdd3603bc977f4dd5463f2c36e09001c6a49afe308e306553b638bd423caa07bcc724e189c0bfff66d2e2290456689e6f449765140ee8c4c22ca2152

C:\Windows\SysWOW64\tiwi.scr

MD5 b01b753579fc53baeba94a956e468b08
SHA1 144275a1e412f913f94280d89debabe403f22314
SHA256 46cdfbff40dc17d3d0c37875aefec9f96697c90e39d30297a0f8f9865b99d762
SHA512 e134fc344ef4879c3c56a573cf8f9230e7dce7fe79de087cd15dabd6b6ebeff86ca1c84b5652aaf3bb51659faad59c3147ebf918462a7a92235d1511cc4905c3

C:\Windows\SysWOW64\shell.exe

MD5 94cf3dc2ffdedc8fbff6e083db03ae4a
SHA1 f83b50ad2dd71ae42755d9db3e97984df93f55b9
SHA256 977842b31c7e05be0145e09973773f01ee130a28f8e4e7d25253af9d2e832680
SHA512 83757f3fc2fb845486b7d14c617f7d99fbf23cc4d6168a5565bf365703316ee4beb2d1fe869887ad3077eeb3c075e114bba2f5304892226cf965962affc568b5

C:\tiwi.exe

MD5 0fab43fddb78aeafa50d652b54eb1926
SHA1 159be98f5ae0b7f73c4364a5d9af0fbc9cafd2fd
SHA256 cf5c0c576bea78b2a4fc2ac5bff14c09ab00edb25715f771d1b67e586ddddf20
SHA512 cfd7ffe698e6c8d272db0fa686ff393758c1e64cb149113d3600868cad469cebc9ab9399580be165f92a4cbf5f38d17e77b16ee9db2d1afb6b55f09838fff834

memory/1788-231-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 d84682b3b2b515e7b9c1ccd4f1bdee58
SHA1 65b3edbd499e0cb31994b92d33709895441830e0
SHA256 adf13f9818a6aab59fb06c1b1aa30b4fa7d845673445fea60c3f268f5bbc69a7
SHA512 eb8ebd94a2adadca5132308fc6ec2664fc6a4f18cb99d3738ab9dd385cad409a38d76051db1a498ffe538b428a9797a089f950abbd31ce3efc8630d9e6ac7f5c

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 ce9daa21a6df6e3c1bd6322342688d1b
SHA1 076328a1d5321fb00ca5c69fddb8b57a49774daa
SHA256 e5098c0a286e0407c9e3a00f923dcde148624be116e85c0c4e3536046c443053
SHA512 12ceab5852e20619cd8fbfb4a0ab6cb5744b4e5e99b4d79c6fbb5cd7dab3579d68c19d8dc91f33aea5c389be6f1f9dfb7f262f38848c55b09b074681c2411256

memory/2024-189-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 315fe02a16f36b48b2dcba879c35d87a
SHA1 8a648020f887290f81d392311cfea094348456ef
SHA256 3abdaede55e8ab12de8b8d88255c0917f46e4f6d7bf44090f5b064c3f146decb
SHA512 9f0962abd8307c6bd42bfa4df7559d9bdfe99693d12be8401b63a599720542e6ad69d7c27bc12a70fca55f461caa69f840feacf924a0b4529d30b5c4fcf6d3fd

memory/2464-330-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2192-336-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 d5da6827c5511adc8803536b1faf4bb2
SHA1 a0f6c07959cc45a9db73d470e85556210441ffed
SHA256 c1da4619fcd491be49ef82ec2626c54990554dd07d48496094e5269062d32e0a
SHA512 f4009f505ab3c1c9852c94c966f7e5943ee31d89d4f9d6cc7dc37e9e7e1c26330d353197c1d8b34b015d123c81ab4e7b93e74dee9203d46e264807ae31f350e3

C:\Windows\SysWOW64\tiwi.scr

MD5 167d7dcc33cf53baf8c21b37a465a00c
SHA1 92d2425cb0f7200373f7c98763b7b193fbbfadd8
SHA256 6a637425e7d00be0c6e4829a2d9676c5cff4df0d25676648739dc22ac0c7a673
SHA512 e9fc2c06dfa780e3a5a149fa0d85d8ecec98532e26c4be22f3c39e5b0a37e1b1707359775aeb3b33af42e7510e3d961e68fa2b720c12e7eacca5bbc2b76593a2

C:\Windows\SysWOW64\shell.exe

MD5 6aaa65b7dec7101785105fcf87ceaf60
SHA1 dab622d4d304dbefd1167b048db2b0358009ae65
SHA256 f87956ac1dfc5b650c95cbcb267d9933dc090b78dcc620df7d589850c059a881
SHA512 89ce2df553b61787e07d66535406f0397766d4477b1dd8e134b22f8c4560f6923b1cb7dc7a6aabdc0042aabc9979f15d7098216b579ac4d00fe8aa69e2da9839

C:\tiwi.exe

MD5 4824ba11432acca5da729d462747e953
SHA1 2fca37bff5037a0f4cd510e71858561fbd2d531c
SHA256 25ea34645ed727b4052319c093f5aeb7ce3262ef0cf649ab12e31ac1cfa0310c
SHA512 98a8ee5ceaea97d3311731ae772017026240cacba6a52735772ebf5e6fc34566d9a2ebb4cdee4a56160b8f887605395f5d95472db3f7f45d3b13cd9d6560a4dc

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 b393b949aa4ce54beb154e5ecdc45a0b
SHA1 197d7bd94bfb3bb7be0fa200bdd7ecfcdad5d575
SHA256 c100e062aa405ba9e9c013446fb3946d4aa6e86bef4c8d23f407536aa183b96c
SHA512 5ee04a7516f843ea01f6168b7c9b73083470218dde3a7b14574694d09ae69178fc005a89f7f47b8f3e45a2926651e70af105cfc6c43ffbae87a8e3f3a9b75108

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 c3dc22341751bff440fd20436ce14273
SHA1 5f3240138e77bbf1578a8f1290e0efe41bec38d9
SHA256 554bd5883223e0c1eab19a9552250ca0cb48b81e6aab63a63ac468249cb702ee
SHA512 d0994f8b87c09e10743c33872f5661641e9d7832f921768acf6f7c1c1e911194d4c2ef0d5d597a0a79b01fcf0570c9afba6c047dd7146201725ffb77fe06ce16

memory/3024-284-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1580-344-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/1580-343-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/1788-345-0x00000000037A0000-0x0000000003D9F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 8e426434b0eaafbcc223e13b3353dab6
SHA1 4587fbd362ac9db17c14ced825c846b6f1ec4d6b
SHA256 01b0520058443e0db4d811ab125f6b6d5d18a48464de65b0656a141182fb39a4
SHA512 0a8cc0ddf4a6b0b7683819b5ca981a0d8468092f9b0aa1e3388cd18ab9cb45744fe9cef3fe72149752f17fb2161473f72c6875490bbea4b51f20e2c44d86f8f4

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 84ba30f8a58c42a103200d1f1b56baff
SHA1 f0e5b1cab348ce438cc85edf0b9a04967613cf97
SHA256 10cab6c23606463610b9977388c553b60cc7f0fd9bfbe7c82ad4de84beb4d43b
SHA512 0ee8964f2afadf9f170dfbdafb0785ba77f5792f76f7565281ff7832f4b4896a93febb04197876a0b47972c571f766f6e3a96835a7828fdacb22e5f4841ba4bc

C:\Windows\SysWOW64\tiwi.scr

MD5 bdc476e457c022d25de70d291dc1a6c5
SHA1 2ff602e7d9215dce93172e5b6bbb02ebfff331a9
SHA256 25dbe238b2a3a5d975a125b045d87a5f573a67e0dd87f006df208a522607b447
SHA512 95413739649704e4d94e14cd7cfc04229832d5e935d4eb9103f29e3986f8e049b4e26939259d05468abfd94285f8a0d8dc4b843dfb475e989fe0476823bafc33

C:\Windows\SysWOW64\shell.exe

MD5 713d08f6f4237defefcc9fff91205b87
SHA1 7f262d094edd58745b847a9b15ecd8d010928368
SHA256 f4c622a2c7f4d2b945c7bdfc2b1139d51920d7002c6e97de01e2cc26efc2bbe7
SHA512 691f7541de129607332f1c028834037a69f31a0056b5697d76bf39d70172f1aa6333d1dd4bdd029f8d8f44656216bda50b96441f85252e15a3f339983c5b1a36

C:\tiwi.exe

MD5 66d0ff3c9bbdec5374850733233f9e02
SHA1 89e73de0376f3cbfe30f8f855b754b5deb09ddc1
SHA256 68eea2e12eed2ba2820a5d28b0507d31e90668d181bee40c40106b7f2ac3bf54
SHA512 455fc03dd19586cd50096347007d569893b13fac6bd8cf9c9f09a4ea7dc5f749c5d128abc7539a427a150ca797986871572703a1c81a9fdf69de98f03d2cd1e1

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 d2cc5468cab3525d05dd7fed448dff23
SHA1 78a023d6e3a880ca7224f2ac09909092e6820348
SHA256 f7a1f0290b75d1a60aebe7f4db30ed1e0cb530a2a7e9ca279b15fa26876d250e
SHA512 19ca710095bddd11c64240d91abcfad4633743333d72ca1dbbb1dac9727374c03c8ad6759bd752e66419c2c84b6d2dc560e7724dfcb30449537ec3ef45048c45

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 a002c235ccb44bc08be7cadbf84473cf
SHA1 c3ab3a8abb62de2bcad645d0df85fecb5ff1a21c
SHA256 32191310cbed9022d12dad8974bc7a175ee44d6526f38d297b840f00ff941608
SHA512 506d480beacaba882bf2886f33b7f660070070c7ba74b5fb600c44f22913aba1e81c296eea9a1639d0e4a7c045d3c12b3754b7619817e42f1a560795ebba1e33

memory/2984-241-0x0000000072940000-0x0000000072A93000-memory.dmp

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

memory/2660-414-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3044-439-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1636-444-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1788-451-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2924-457-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2924-456-0x0000000000220000-0x0000000000230000-memory.dmp

memory/688-462-0x00000000003E0000-0x00000000009DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 06:05

Reported

2024-11-09 06:07

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\J: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\G: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\I: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\V: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\W: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\Y: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File created C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification F:\autorun.inf C:\Windows\Tiwi.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File created F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File created F:\autorun.inf C:\Windows\Tiwi.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1640 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1640 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1640 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1640 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1640 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1640 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1640 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 1640 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\Tiwi.exe
PID 4136 wrote to memory of 4392 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 4136 wrote to memory of 4392 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 4136 wrote to memory of 4392 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 4932 wrote to memory of 1084 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 4932 wrote to memory of 1084 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 4932 wrote to memory of 1084 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 1640 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1640 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1640 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4136 wrote to memory of 1120 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4136 wrote to memory of 1120 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4136 wrote to memory of 1120 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4932 wrote to memory of 1672 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4932 wrote to memory of 1672 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4932 wrote to memory of 1672 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1640 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1640 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1640 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4136 wrote to memory of 3884 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4136 wrote to memory of 3884 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4136 wrote to memory of 3884 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4932 wrote to memory of 4668 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4932 wrote to memory of 4668 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4932 wrote to memory of 4668 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4932 wrote to memory of 3024 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4932 wrote to memory of 3024 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4932 wrote to memory of 3024 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1640 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1640 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1640 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1640 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1640 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1640 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4932 wrote to memory of 4456 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4932 wrote to memory of 4456 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4932 wrote to memory of 4456 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4136 wrote to memory of 3580 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4136 wrote to memory of 3580 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4136 wrote to memory of 3580 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4136 wrote to memory of 2948 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4136 wrote to memory of 2948 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4136 wrote to memory of 2948 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1640 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1640 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1640 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1640 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1640 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1640 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1640 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1640 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1640 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 3216 wrote to memory of 1608 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 3216 wrote to memory of 1608 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 3216 wrote to memory of 1608 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 3216 wrote to memory of 1428 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe

"C:\Users\Admin\AppData\Local\Temp\63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5eN.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1640-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 2b9ffc7e6cd8b47925aea8d5bdcb6d00
SHA1 ed9bbedb791fad104e93a47ff059f0b1efbfadaa
SHA256 63b15fcc11dbbf20c0de92bee2afe2b54a79ab6f7bbf18a465f492afa46a4e5e
SHA512 78b665813a809a624fa61f6f2ec4f2241959be204d7466e473b6671c9c1c8e8c0edf281b1f418e7ad79e4fea012d4ec9c5e23ff992a72af4c7662aed59749b69

C:\Windows\tiwi.exe

MD5 27da3c58fb2f240dfdd0c2a9026da910
SHA1 51fb9612f1b4b8775ff59c2888044f12a1f88a09
SHA256 62c8081fceb492844689d30bf0fc7d4ef9c59c7bb2f31ae0d74021109d0e1109
SHA512 7aa7ae837d1fc34779addceaca87347db0bae8d30cd52112ed2b038bd469adc066b41117ab6264012552c04aa9b22dd1816e73009f4fb065b7887e10efe814d4

memory/4136-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 d62fff08d20cda68686870292fb1c056
SHA1 39ebff0416ad16197eec8b2569e521e098a98044
SHA256 0e130155bc2b4be630e0facdcb474c8187f998e41b2cde39bfe8b9ae4f4dd46a
SHA512 acc179070ea571f5f1e3a807e2acc9a3d537271c92612e21491302830b5138917a8d38c7de07b1e98c7a5fe73937b9c773c3ee76b84d18e2a3bbe19cafc02b8d

memory/4932-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 421bc619ac6e9207fe5524f1fa052565
SHA1 f110d767841bf94da3025c0f97306b2443224959
SHA256 19a758bfac6e483027d0bd335fa2ce20c916ad58ecf973aaac8eb734a54e1c5e
SHA512 8049cb49ae46755e09d4245c2bd049b0a2b2e881bbfc95d954a081166ab957770af253d2c2f9d7fea56a22b799e07e5769ad8ae9220750e6b7812ae9e90ba1a5

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

memory/3472-147-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\MSVBVM60.DLL

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 0904d1363c491b93425fb87a858752eb
SHA1 8564d2fb05c4d48066ce841d04ea98472699fbd8
SHA256 a50a6286eaed4e40ddf04c46840d1279bffa1a57f78296b17a41b59236139591
SHA512 c51565f9490739088ca99a2a245e8970f0b5d9e25bebe2ff6952461f6e2946bf7c1e66288db79e9ee1e5e4afffcb159aba3d5ed608e5926c28fa7ef743b2362d

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 602a549f9fc3b558fb69ad942b8bd9e8
SHA1 b4618c87c153c27883dac4432570a14e99394306
SHA256 484562d3af34180f4c6232427c6e8354180f939db8f66fcef750f90151166ce3
SHA512 a9cb5f47cf3cb7ede2a2bed26ba744295ee942808602fef0f83e97076f3c46f3d16bb4153ffe489585c79394844b7b1d2ad672055ef59c0e4c746a85b09a8fd5

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 1ec5bfdfb985aaa32bc4caec8f7cae10
SHA1 2731019d607dcfef7f16be3fa8338ea8a0c30c5b
SHA256 2351413d0cc90459067369513645442f7c2e13a3fdc96d2e9d1bea2a1295b6d6
SHA512 2e8396c3c82db45819a5b78d4085a7348626bbdb539b6b2d917c0a8a02ef8034e752ee81badfcd801c14983ac48fcf27e4de2a016c16b524f5c32ca68b9f2a38

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 ade47aab1aab913beef18f855fe68e1e
SHA1 304096a453747cbba928c57b8153e30097a5b054
SHA256 acd7841f03e70dac144b6bee4761db0e9aec96b481b5f43b03ac8ff19dbf964a
SHA512 0de2f582ef6a407403ad0d7ec003a48c9fa3bbae0d86a99e917a6e56fe0e8d8e80943856145e3443049dddfdcbec81a9cd99d4db1ad3778de76e4667b7f1ad97

C:\Windows\SysWOW64\tiwi.scr

MD5 c82a6ce9a04a4cd9801a3093e7580bf9
SHA1 4197adea48506def0f3e5007ba8e3f997c17ca79
SHA256 df2fd5dc29e583d9a971f678e6ce3d350f58d7f03f57e53dbbc1985b353564f7
SHA512 039033b56da898d2ef2ac732d3e32ce1ee29ac2866cbafe5f324f90bb4e6d63635c7c36669bca9f417ff3a6859ef7566b56eb7f12d417e9dacfba7749868d6f5

C:\Windows\SysWOW64\shell.exe

MD5 5b51117d91ae3cce562a4c094aad1631
SHA1 4bb779e5f816a203be0f38f100f34617e24b3ff4
SHA256 56cab5c96d3630d8861456b8264b00f2282fcc7c1f984936cc13259f72f76b30
SHA512 8e372a96456a140b0fc4451f0110aed7c82b8f59349da666e20b5722c21a6e7dc39cf02f48e3187e531a8b1dfca9090a601d4b209343c869c7812c381620c0e7

C:\tiwi.exe

MD5 1f03c2dcc8c0decf09c0eb10cfb615c8
SHA1 c60297d1c419a3f25081abab7ff3a17d8007e221
SHA256 f583f0b90d3f321f35b203bf07622e75040ec5f28f6b64168c377a8ba9e1f130
SHA512 bc5b719853d978e962307f8c6bef40d8262028582e31fa6d7784a2505e1daf78f7889c8c7f162589d8b83e1d8a119d6f9f1db00b89aa8eb78dcb4c890b1442b4

memory/4392-193-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 1da120080779fa0df385d84ca318db46
SHA1 a59b10bec70920a75f5c7d8b6c3a1da32501d12b
SHA256 015949235de02ee292349765e8c0050fd4d141929ca5a840b2cdc6b0f6bf3ae0
SHA512 b09db4e7a2571d7c6dcae8dfe8cb394a4058053b6204856b6ecfb8949edb9ffb6c2ed0884c4815e1e6b1c2873d2b7984395483f229a28227ee06e3de20429650

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 ec63c79d3dda43ed5543c3e6ae103859
SHA1 51301983008ad0ffb38c268f1b17f50be4f92ff1
SHA256 776907c4b9deed6889e77ed27523793d7801e404fe770cc975be4b788a6e8b18
SHA512 7c59aeb11639e9c92598cb404608eb8e490312e05be4b3c8384977a8f73468ee39e24d4f07443ec6215b53e61172910c3a4e41a2e58bf27783a4cc863242f3ee

memory/1120-248-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4392-247-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1504-244-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3472-245-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1084-243-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1672-254-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1084-253-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1504-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1120-266-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3216-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1672-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1640-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 3d3cdffb95b010f5a8981737af494a24
SHA1 741e51a27ee7ddd1bd0b245fc810b84946b6aca9
SHA256 c889e7eef1fa092f022858e5df6e7df379d625e2d12c212700f9bbcb06ef1d1e
SHA512 173b8df07c224265813338e749537e0b4e0c9b64b3f42fc2407f607ba503585706313e38175e8a46fb5330120ac2fea9b20d352effc3917b4b3a7b39cd68ec0c

memory/4932-276-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4668-275-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3884-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4668-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 619a5a971a7ad0bd94276601511d258a
SHA1 ee690588331efc239bd5d35508028a93275caa26
SHA256 475234daa63cfd84b58e498e45a7442ad55e86f180651b8edca886ce64210414
SHA512 7715152db3d3dc54af26f63f00db446cc836205bb1f7e3929606803799a55033a11c2b9fbcfa41ece7dcf20286e04889e06a4354d17af9f3f25c0560ea47f1b8

memory/3024-283-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/5068-287-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/5068-290-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 0b3a8a8a3adb616d8bda14f3e533e930
SHA1 f04e991dc61ebd147741f3e163c672a91306d5b3
SHA256 63e62128185ddf6505de15f495dc5fc06c9e8925e774119a635c2a2fc8420991
SHA512 78558fbe572be214fb485f6ec679dc5ad98d415bb548443ca48b1e02147f03c6ca0fb4b8b8c58e81aac957204ca8010a4c75df4e0812a292f21f8157d5671b40

memory/4084-294-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4456-298-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3884-301-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4456-314-0x00000000003E0000-0x00000000009DF000-memory.dmp

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

memory/1640-388-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 4b00f140e6b862252b705e870a4f1590
SHA1 ae2118eee71a193173b6f18f0b003306cb732738
SHA256 9d7ff3c255a7492024d9514532fcd6f0e0dab30d86a10887aecee93073896453
SHA512 ccd970109eac2c2800d53a01a70d94cd4c2a46b7cdb203329cc2cac633b2d03ffe05234ec97e6f2baec270b4606bae202277ace0bf6e3a2062e2e90bde42a3c2

C:\Windows\SysWOW64\tiwi.scr

MD5 fe831b0adcfe3d627a232b3a57f78feb
SHA1 f4722774d52670e50dc12a742ee9b97bbc44f9c5
SHA256 95deb5b21a7db2dadaacf413c93789aceb03f5643dc123b69935d0928c279ec5
SHA512 04cd8b62c050047d154bdda6b0bceb1ee5fc77260493b2c998b570792d38755dad67f740d9559251e51980d1e82ce460e531e1b7e4006546aa9dd6b579559729

C:\Windows\SysWOW64\shell.exe

MD5 c2f2babf3d81f017374a5038b1d6ca25
SHA1 43e08f893c1b662ef297a4fc19186f6b751f88ed
SHA256 39c7bb0ee6d609af5b73edc66ca4b3f32a4a2ff177f3f7d97a4685e9635024ee
SHA512 494de8a777d987b4e78880ede49bc94097807c548e2526b2f060809e45a97c7905810e95a4eae5d4c0cc613b715caca7c40089e64ac909565cbed17eb8d777b2

memory/4136-273-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3216-437-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3024-438-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4084-439-0x00000000003E0000-0x00000000009DF000-memory.dmp