Malware Analysis Report

2024-11-13 18:05

Sample ID 241110-b245eazkdj
Target 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N
SHA256 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8
Tags
discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8

Threat Level: Known bad

The file 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables cmd.exe use via registry modification

Disables RegEdit via registry modification

Disables use of System Restore points

Disables Task Manager via registry modification

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies Internet Explorer start page

System policy modification

Modifies registry class

Modifies Control Panel

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:39

Reported

2024-11-10 01:41

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\L: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\M: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Y: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\B: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Q: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\N: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\O: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\V: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\J: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\P: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\G: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\I: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\W: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\T: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 4972 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 4972 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 4972 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4972 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4972 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4972 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 4972 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 4972 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 4972 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4972 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4972 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 5088 wrote to memory of 2832 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 5088 wrote to memory of 2832 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 5088 wrote to memory of 2832 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 3112 wrote to memory of 4856 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 3112 wrote to memory of 4856 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 3112 wrote to memory of 4856 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 5088 wrote to memory of 1780 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 5088 wrote to memory of 1780 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 5088 wrote to memory of 1780 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3112 wrote to memory of 4296 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3112 wrote to memory of 4296 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3112 wrote to memory of 4296 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 5088 wrote to memory of 4528 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 5088 wrote to memory of 4528 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 5088 wrote to memory of 4528 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3112 wrote to memory of 2236 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3112 wrote to memory of 2236 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3112 wrote to memory of 2236 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3112 wrote to memory of 4408 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 3112 wrote to memory of 4408 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 3112 wrote to memory of 4408 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 5088 wrote to memory of 4412 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 5088 wrote to memory of 4412 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 5088 wrote to memory of 4412 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4972 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4972 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4972 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 5088 wrote to memory of 2624 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 5088 wrote to memory of 2624 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 5088 wrote to memory of 2624 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4972 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4972 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4972 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 3112 wrote to memory of 4456 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 3112 wrote to memory of 4456 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 3112 wrote to memory of 4456 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4972 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4972 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4972 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4972 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4972 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4972 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4972 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4972 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4972 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2796 wrote to memory of 3648 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 2796 wrote to memory of 3648 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 2796 wrote to memory of 3648 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 4408 wrote to memory of 3492 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe C:\Windows\Tiwi.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe

"C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 71.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4972-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 bb79e9d53044c165289a0386b625c770
SHA1 3e73cb3a3e35eb2d1c888ed542c14d0395f56460
SHA256 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8
SHA512 46a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c

C:\Windows\Tiwi.exe

MD5 ed55ad789559cb6325d048c931bc07a2
SHA1 eb2f2aa1aafee165ca5b1e56ac37402812c57e3a
SHA256 3cae60364e851a5c7611f88ec136956f6fef7e1e5adef0282dd1752f49a77114
SHA512 e17f0500171617bbc1d85c1991b35c26010ff8b2383b27fbc75d375bc20cb93bfb5c7959004e35fefa3b6fe29c978aab7ad2c53929337cc84bb04d28c28224a9

memory/5088-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3112-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 6de5d3b1209305248207e8da2c855516
SHA1 8082db5d79b8a8ecc18187de963f64e609c2fb35
SHA256 968ba9fca9b0dab46fd485d7e546dac0304e4dac2d14f5e9dd68a2d49733d133
SHA512 e4cb22ddb3123423eeaf87e3f5db1786a6d8dc3c24d9ab46dec40527bb6a3e9ee0e834bfa429c2879dd040fd5ad8ad1f9b3fc6d5e3d06e9c507b4c2fe12863ce

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

C:\Windows\MSVBVM60.DLL

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 22d8ed47630f57e9e5baef979f3e98fd
SHA1 dccafc6d26ec250d8932ca3fbf96c0f5fdab4c18
SHA256 d2d1fdd261f2b1647ffa155b1e16dc0c9941900e16d87c110cc20d176ada99ee
SHA512 6e0269cbf08b651b5994efecff0f17067b8a1022352943ade5fd1bb5a572c69c0cb2ee81b4f409a63813a6615dd1a26acac39c2f840c956079ac0ac8963034e3

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 8f339a5b7c35ccc44c99a7ac49863270
SHA1 37bc6d2bc13323026bffb1d341c212e31393fe16
SHA256 a3bfe8f7dc635bb8d155956d068621e5bc71dc3a082b344b824adcc80aacb775
SHA512 ee664af606942e51b3be1285a9706398fabf94021585c078ab8e8cf73aa78d2e017981c68376348ab752cbdba215015d7b2475abdeb929fd2e803f773d68782b

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 b2de02fa9cba9b5741b984dea1e7cba6
SHA1 b5d7c80eda97943971a18d112b7fc5234756afa8
SHA256 6d5a7cca64331b32381f214df8f9329d856867bee45f0605c53cc1b59bb10a97
SHA512 77a6a06251c7e86dab4414159fb7728f792d0d3128cfd28f5c07de69247c87f30f4b2df635e82b1025175dbe6eb106e8405811d1d8c12304804d36e36e792cd7

memory/384-155-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1044-156-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 f79e946681c2ec43a5e8720fa38d5532
SHA1 3298aeec01afc1b0f7060e9caf768f8f911b2ef5
SHA256 39e8814d088c49e5780e7ed6414f32b9ec2c329f9b64f1fbcbf32cc49e9bde78
SHA512 da53967efa4ce0ab26e54762967cacf39e28d5fe097a091090b57085e81aae852acb5359e22fd7e72974327e89be5808b43c56af3ee0c9034bb6dc51235ad05d

C:\Windows\SysWOW64\tiwi.scr

MD5 14280968967b5cc40903ae182c56a89c
SHA1 2fa237872b8500d9ddd6b4b5d9e43f97f2e20d3b
SHA256 65efeeddee80a68a265780d8ed267d61fdd018f94c4d9254acf7a841e40b2b84
SHA512 524f7f37029107ac84b554b003cbcba199578c8872993e060a4b617c261ba660de99a9e3fa5d657f8deddc02c7b68f3eb2badaccfa46e4d9e712c0cb834ab847

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 3ea1f053e96a607b202f294356f7baf2
SHA1 627004ab3dff68152de6ae424b2ef5a83a5deb4e
SHA256 8db4577d980804976e6ebc27d27ca92c7438d9021f24313a9d80613f31fa7c53
SHA512 059b832e756d20485385ffcda6dd13476182fb6ae976f3da97a6bf05ce3b4f6537964d1a09b28bbb2e277d94012ae3ceb1546d8c5efbe8578078f33ce6e47e09

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 74583f1dca1c153a74bf53a397543e38
SHA1 2d6293c653dc939daf5ec3d6c751bc14d3fd2e16
SHA256 186ce1f9647533b34b045b235188eb8bfbdcae745d20c8f5099f691a7e3f2c8c
SHA512 cb6348a229164fd55a4a64f0f4d241ee99e9c26d739b253ebd44c240b3b75f57394962977f811648063b2c44662a3b489eccfb706d3f0cc9f28916ce74bf1c11

C:\tiwi.exe

MD5 cde0d134a7b49abb062ac2db47f11caa
SHA1 1709e595c8a20c510f9b5edf48715d59a9a51d76
SHA256 7999066b517217856996fd257452b59f1617d986546162b695a54b204ee3c0a6
SHA512 8715fe05dc46047869d9dc98c3af02abba03990d03598b6c8cf4dc6012a3ab36c128f00bbe475067dcf47a28ffd069bca74509db357bd09682e5766ef0f11d63

memory/2832-197-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 582c2b55157c63681f41a4853317467f
SHA1 c989c8bca8396c111b29ab71b6a59bf219f50af8
SHA256 7ad4a59f865b29b5c98d64e297aabae115c1c4525aad2ee10407e668f5582a4f
SHA512 d23818f9b70960ce3b62cbb6fb27af036154496b06b30bbd78514fe93d333c4a7d3f1e170516cb3f3ee9f93cbc28521499e81eecc23e562a0b391d5a1c425e9c

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 26ebc519257447b3509c8f692316c193
SHA1 7aa3e0265d83c24cd9c969baf0f9b404eb3d4239
SHA256 0d4758d2de694d7ad8bac2a01c841219cab2aeb21f0b05ce3f582b07bc8ca66e
SHA512 2d7dae335d052c7e2ec34fbb2a0f538719be7102aa4b71007e5c266defe402924a13475e105c81fb3061047ff09ed534a4ab92999e53725f665544f0ddba6a70

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 c73f8ffd13aa0963a973ee00d137d554
SHA1 6de05b61e0447baee3223a1964318b14300774a0
SHA256 20f1fcf86d0ed782e98c5865ce9c86bb989f88b600c08b3401ab03f433f63d56
SHA512 9e10564eb2111e62022ac8709b2c5bec909ee1b782f54a46404997274ca98d0b9975447b50252f9d11d429f11ba8583df228ebba2aeb50c029f0ed4c0b51f0b2

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 1228d3e42be5c7c20ab7039f72f8c533
SHA1 c3ff01d2f7e5f600b47ee00f33c3581958ea70f0
SHA256 2334f0ee5cce275112ff7cb888e8194aad5eec436a3b565afcbc6d476186c1cb
SHA512 aec5a64ac8c70c4ded486cc49aff436fb78c6f8b16f72fe5293354e634b50b523ea9f534263970e06b4e9edd3334c3b67938ade5ae735e8fa19af3dcbdab478a

memory/2832-247-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4856-246-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1044-249-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1780-250-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 70947bac82003b8989ffddc1b74806cd
SHA1 69f37866981381d2c822e49b067d197c63da907f
SHA256 26e99d9b6483214db00fafb693fdec603cdce8909d7a6b3d2ede202b497f70a7
SHA512 83c635444dd97cadb2a80bd62506e1dabb1b047bf2d850bca81126d827fcefc2ba5f5346770407b7dbe056404d9155cd89096eca1103538a530832a3c09d0aed

memory/2796-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4296-260-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4856-259-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1780-263-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4296-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4528-269-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4972-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2236-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/5088-273-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

MD5 eb41a76397e1ba037c353dee4ed9b92c
SHA1 f91cbba7d1b1eb5490c12394a03f9679f3403653
SHA256 000617d924a575dfc6df5e3d54d1d3a8c8047eb97d636b7b8ccbc69ee343ccc8
SHA512 6735dc880ac2d66386d712a51d5ed3ec1494525adfae4959fb508138e1fbfd4a3678af9377ab510917e1bd8831ed084bcb8cc1eef2663bc453d3d502d254a805

memory/3112-285-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4528-284-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2236-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4408-287-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4412-288-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1700-294-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 5a7d5e406f047ac4331abbe1ad36a521
SHA1 24378a5a93e662ccf3e29f697707e46bd290334a
SHA256 b5181d5504b190c5b2a9f94e1fc256af8eb9cb90f0740c6182d4ea9f32a3974e
SHA512 c0ccf487dfdf0cdb4e1c2832e772dc77f3d8cbe2bea47d0078a7a9ea75152ef13c004fc6b1dd93eb8ae2803df3593a36b2719aea7adbbcca271abb315c5c425b

memory/2624-301-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1700-302-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4412-295-0x00000000003E0000-0x00000000009DF000-memory.dmp

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

memory/4972-399-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2796-400-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4408-425-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2624-426-0x00000000003E0000-0x00000000009DF000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:39

Reported

2024-11-10 01:41

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\Y: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\B: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\P: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\M: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\J: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\E: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\G: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\K: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\Z: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File created F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 2092 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 2092 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 2092 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 2092 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2092 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2092 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2092 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2092 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 2092 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 2092 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 2092 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\Tiwi.exe
PID 1296 wrote to memory of 2936 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 1296 wrote to memory of 2936 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 1296 wrote to memory of 2936 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 1296 wrote to memory of 2936 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2092 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2092 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2092 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2092 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Windows\SysWOW64\IExplorer.exe
PID 300 wrote to memory of 1932 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 300 wrote to memory of 1932 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 300 wrote to memory of 1932 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 300 wrote to memory of 1932 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 1296 wrote to memory of 1872 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1296 wrote to memory of 1872 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1296 wrote to memory of 1872 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1296 wrote to memory of 1872 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 300 wrote to memory of 340 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 300 wrote to memory of 340 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 300 wrote to memory of 340 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 300 wrote to memory of 340 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2092 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 300 wrote to memory of 1580 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 300 wrote to memory of 1580 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 300 wrote to memory of 1580 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 300 wrote to memory of 1580 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1296 wrote to memory of 2100 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1296 wrote to memory of 2100 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1296 wrote to memory of 2100 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1296 wrote to memory of 2100 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2092 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2092 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2092 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2092 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 300 wrote to memory of 3040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 300 wrote to memory of 3040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 300 wrote to memory of 3040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 300 wrote to memory of 3040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 300 wrote to memory of 3052 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 300 wrote to memory of 3052 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 300 wrote to memory of 3052 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 300 wrote to memory of 3052 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2092 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2092 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2092 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2092 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1296 wrote to memory of 1780 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1296 wrote to memory of 1780 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1296 wrote to memory of 1780 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1296 wrote to memory of 1780 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe

"C:\Users\Admin\AppData\Local\Temp\5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8N.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

N/A

Files

memory/2092-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 bb79e9d53044c165289a0386b625c770
SHA1 3e73cb3a3e35eb2d1c888ed542c14d0395f56460
SHA256 5bc2f24c251c80347ad97b0a09791723b0dc2ce20e781b05f0d1c6afefae3fe8
SHA512 46a4af80721b215f03e1ae7e37d66d809d68c8d873c70ed8bcb73c74814542899b3de18e964d51413008fb0ffab20a5eb3b97148795fad4a3d044779990d7b4c

memory/2092-98-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/2092-99-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/1296-100-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\tiwi.exe

MD5 85f9094c8af86068dd1ac661d6b1fd5b
SHA1 e7237e0d8e586c9e0a1cce45b64f7b76a7406614
SHA256 5d0cf3e9a01b72af3ea7c7a32dff083e82802ff2618150fc2abdec41a0eb95fa
SHA512 04f25281ecff2f22c6550f7adff49087fa159f42b60e7efa328c57c52b11f88ad6fa64a129cb0f71b190e1c241cd44616f6432f39114c54d5a13e239f11bae2f

\Windows\SysWOW64\IExplorer.exe

MD5 7fbb65363a2035587c6e41bd01da4541
SHA1 64505244f20a936c3fc2787e66fa7175e1efa73f
SHA256 eba247c8207b2a391793ed6d522d82106c60922e8e9778dc383c756a647794fa
SHA512 878ba5ffd46e7afb6677cde64feb170621a7687217ab2aa5838e683073ca8581214ee5e08e0de1e0a425ea468f3309fe092fa7ce53261cfcc89a4b895c9ca7fb

memory/2092-110-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/300-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 b80708d93cf79ad0b26c8b20c6f2a937
SHA1 599d7f4267237ea8cc4ab6da7e77c4f1fb54ed70
SHA256 9a86aae8bfdcd2a91e9190ac566209e65a5327242e2c723cb52f1187a88b3321
SHA512 6b17f74ed6cdd36dbcf4d9c253ef0875a7bb9119df858d5edf2d15f565700e238267a973a050b3ce7f0588b5ab46025228444ab4e3afdc7453ea1392d2bbc222

memory/2092-164-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/2844-166-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\MSVBVM60.DLL

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 b210083e425e53f9fbe683fc697d2955
SHA1 2467d66c8c6ee327bab8183e8d6cd40f7fc7848d
SHA256 78671a1a313f78abead4a4851b19d910fa9135c2c946171d0df06174fd6ae8e4
SHA512 b8e7f41537389af9ca872811814f8b7c8ae1ff649718c34dbfbdcf1bc5606b8388777e78af93ef84cfd2b7a19f56a994b308c062562b2e088a1f41d4f9d7532b

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 c6a6b42bb46e99256123369324a8df48
SHA1 fe55cb43120a71c00a4353c332e967ad4fc8ab82
SHA256 0e3efa742f6933da5926b2b86e53a15075e8f52b17cd4e3015c1e64eb5fe9db7
SHA512 8347c5c4a1aae1585954969d53c74398d7fdecff81390a36e09e65cf48b12a472071d541315dc346c4de3fcca10d542e358554c002147ff3f90a9ab74464c4a2

C:\Windows\SysWOW64\tiwi.scr

MD5 80dd739f1a3276430a8a60b5af738466
SHA1 3685f1bc7970efe8491f310501c8efcf9ead0616
SHA256 0e0052ecea8bd13c167a03b142cff4378e968793110ac65665cd14e5c4c1a5e2
SHA512 87455421d7c443746f8cae42ffbef0308287ae2e5f3086511a25c32ca9381261cc973e8e57163a1c856c9a18655d55fe871cdd673fe2f8cc9dea663db782d159

C:\Windows\SysWOW64\shell.exe

MD5 e4d601b2a52d3967da3c7df849972c2c
SHA1 68ad17b1f4cd7ee650321eb03a1d952cb7ca1e87
SHA256 b7b6edd09e370fc445b9fe251de106927c60431b333f6826d965f9aee703888a
SHA512 a1440bb569dc75d2cd1984b0efc47af20aa8b81aab84708b2c1f7f47005a448fc5dfeb1e275f55cbb3625187f109bc6620dde6d43aeeb0d579b9c3d8e1716b10

C:\tiwi.exe

MD5 94c521817170fc57277380ee2fb62a47
SHA1 43e348bd6fc8f2cc4e7355514dc19d6f7ce1aace
SHA256 53e48afb5e10a31c1730b642e40a19f1dec9bcca5ce5e3348197089088edc78e
SHA512 9a2042bbd546f31e38e0c48c67f2797cf2a75a20d2e93886c03a5fea20ae046e5503feb4c8cf481dc23148eb838ec638d44f599273470387d35cc81f1a492129

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 13a90ed33d2be8cbcafc9d2059bb336c
SHA1 7a2bd2f1391805f344a182e48c9d81bc607dea12
SHA256 0caf09ab46dca74bf3970157f29821c1f6e747e8146e7001b1ddb5c4a103bb44
SHA512 36fb8f5da48841eee68ca996e7bf2aa9b7b209c6945225302d79e4d5665bb250118bbc4915dc30ccdcd0fc6b06234ca9a35d3cf74321f843c8b6cf7a48b99913

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 f8da8c78fccb54b2656671c518f2a4fe
SHA1 7ee880fe707f002a6feda9d8e326ec2ca41a8ce3
SHA256 9b579a3b16e17f40dd97b7cd41df5563fc648aa09e5d085372d286cd063f3d81
SHA512 b9dad7c12a758676947c5c9c59951676410bc1a6d9464c6118a2a4c9c36489efbd01c050ec4331ad9724bd2bb5e72ee61b33dc5c3d2106942f6718e24c08fffb

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 70f697e1594a66e125218642960f5704
SHA1 1d0788de62e1bf8d28af6b077c58bed195e64235
SHA256 7186b4f924f1ac731cbe7f3d3511befdec82216fcc7f963bfb51ae07ad2e14d5
SHA512 02aade5617455a43a4191fa746fa37ace72b77a6807c3a8d99f7bc0650a5f9b597e4b581bdaa7a8e73d73fe009da80e052138b14ed2767c1111d4881fb3ea2b5

memory/2844-218-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2844-217-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2936-216-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1932-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 1f0ef47bad5c0d148ba7f2b966d1b014
SHA1 cbfe24553b6d9acd9d12a30f1d5d5de0f1323503
SHA256 e294ac2172595f608cac754d844dd2335c14675afe824ade358e6585b41e09eb
SHA512 ed719dfbde1182fc9cabbde2162d7cd388f6e1fdda8a501e76bd8047311b250e56eb5f94f9dbbad5309ab3edc8d0f546fa3116c03d01fe5386ee306364498b1d

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 d6875c8d18cbc403f73a1d021546df59
SHA1 b4ae244271fd957d157f95c75aa58e71668f89e6
SHA256 1244b42152f7da2e2e33fb964285adea0ee49e5a86841a8bbdc055a80521cf39
SHA512 787d4a9deaf900cd513aa25ba503f4055b5017e7ec64de83fe8931853847346d26362036365656f6b8e81e434bac7a246a92d93e1c75047a6cb39317f1e58c8e

C:\Windows\SysWOW64\tiwi.scr

MD5 75a2b158d6b54df989c25315428102c0
SHA1 fc83e25eff360f8dc74d8878d8df86e699006f7f
SHA256 8e3488908e67a9fb068efdee362d33371eceec7b07837cd7715c7851627fe7e4
SHA512 f541546ec35804eaada557413039b3ed666ca96fcbf3b77779ff56b1fe492b28ec4e532fdf81c3691cd5fbd6a10a203cf4f29093107994cdf08df8fb207da869

memory/2092-264-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/2092-263-0x00000000037A0000-0x0000000003D9F000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 eb9ed0c82b7e1d650328a78c0df3d23c
SHA1 512f87a49fbb82e77a5439235bb142d67acfe16f
SHA256 550c79c9b9464dfe0cd09f67d6adf8a497b0dda65e638e15ae66753655d3c1f5
SHA512 62e3a9fa408a152aa9ca3335e490f57afe744040c890136454d74f630582a7c4ca0d11ca74ba22ab481007f9dd772417b514467b1b457a2cd4364f77f195c039

C:\tiwi.exe

MD5 6259d73f85582607a1ff1be2b3915805
SHA1 8d75c2d2409015392ce180cc4a5485738a6dcbcd
SHA256 c5a43129aae51fd7474c20bdedda1b00a99f21f84e92ee17c1565ef2292f7c49
SHA512 47fc8900669d640c8bba0db653d3ea06448319ed21e80deee048924f67319a9a10a99285fae3b40bbc7ad14549d6df59410ac7bf163ddde1249262a94bad9005

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 558e916a958fd91f2401843374b47c71
SHA1 4837dac64fc5724aa1ac932cd0166f1785f7122f
SHA256 5abed5416dcaa45a544649be2e7d9fdde0d260513c7ed7acf8b1b19dcef68d7a
SHA512 c36dd5108ca26110a52b1b3e62003105269f124d787752bb9580fe1fdfe3b8d1845920c30987c0e4c80a00ed556f2e6fccb936be1428a4ad0e119024efd7f572

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 572c70f6c2e961a38c1332db0d60f1ac
SHA1 1b64e41f85cba00903bccfd1cbc0b6510dae629a
SHA256 968f0a6286b3d3ab2264be8d4c3774a126d4142dfcd69198272567814a2bfd7d
SHA512 dc12c8106fe2834ff087473e26d2bd7638d04b2e3e0f342bd0374d7864448ec73c5a3956f3ce45d49b5cb85ddd773f04ba8d18e23340e4a18b2c47b59284f7d3

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 a6cf915256d2b433c008ac5ae3778aa1
SHA1 2d50f9b28368142f15b003ce427e2b158be2c145
SHA256 e666c6650a634a1380b45806f4e920f9f76995c2829e0045887933402633618b
SHA512 1eb593096c3138baebf810dec0c58f54c86a94580a741d38f56f53bb367e96c0d77b07aaece979e82b997b2b26bb977410d60db7f61c4f4e0ff4129171b3590c

memory/300-269-0x0000000003690000-0x0000000003C8F000-memory.dmp

memory/3064-266-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2092-285-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2936-277-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3064-284-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2936-275-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1932-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1932-280-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1296-329-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2764-374-0x0000000072940000-0x0000000072A93000-memory.dmp

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

memory/2092-328-0x00000000037A0000-0x0000000003D9F000-memory.dmp

memory/276-423-0x0000000000220000-0x0000000000230000-memory.dmp

memory/276-422-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2960-424-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2068-399-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2092-436-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/664-438-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/300-446-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2324-448-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2324-447-0x0000000000220000-0x0000000000230000-memory.dmp