Malware Analysis Report

2025-08-10 23:22

Sample ID 241117-j4rwvsvkgv
Target a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7
SHA256 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7
Tags
discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7

Threat Level: Known bad

The file a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Disables cmd.exe use via registry modification

Disables use of System Restore points

Disables Task Manager via registry modification

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Control Panel

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:13

Reported

2024-11-17 08:16

Platform

win7-20241010-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\H: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Y: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\N: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\W: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\V: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\M: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\R: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Z: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\I: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\S: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\L: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 2064 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 2064 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 2064 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 2064 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2064 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2064 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2064 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2472 wrote to memory of 2992 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2472 wrote to memory of 2992 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2472 wrote to memory of 2992 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2472 wrote to memory of 2992 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2064 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 2064 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 2064 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 2064 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 2744 wrote to memory of 1828 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2744 wrote to memory of 1828 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2744 wrote to memory of 1828 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2744 wrote to memory of 1828 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2064 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2064 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2064 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2064 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2472 wrote to memory of 1796 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2472 wrote to memory of 1796 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2472 wrote to memory of 1796 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2472 wrote to memory of 1796 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2744 wrote to memory of 1744 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2744 wrote to memory of 1744 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2744 wrote to memory of 1744 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2744 wrote to memory of 1744 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2064 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2064 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2064 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2064 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2744 wrote to memory of 900 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2744 wrote to memory of 900 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2744 wrote to memory of 900 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2744 wrote to memory of 900 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2472 wrote to memory of 608 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2472 wrote to memory of 608 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2472 wrote to memory of 608 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2472 wrote to memory of 608 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2064 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2064 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2064 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2064 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 900 wrote to memory of 2488 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 900 wrote to memory of 2488 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 900 wrote to memory of 2488 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 900 wrote to memory of 2488 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 2744 wrote to memory of 1404 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2744 wrote to memory of 1404 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2744 wrote to memory of 1404 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2744 wrote to memory of 1404 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2472 wrote to memory of 264 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2472 wrote to memory of 264 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2472 wrote to memory of 264 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2472 wrote to memory of 264 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 900 wrote to memory of 884 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 900 wrote to memory of 884 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 900 wrote to memory of 884 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 900 wrote to memory of 884 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe

"C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

N/A

Files

memory/2064-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 96491cc3d37f3c953a017fd6bb7d80f9
SHA1 9eae6f9e6bf78055de34233d46f2e07fb054c1c2
SHA256 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7
SHA512 92efeabab0504d2dc7d07c607be927ea964b8229fce3574e27c13670bbc81508803efa0e9e52549e9987cf13b23f7b4fa9ef55213d7aca83f4eca3a9f7ccc8fa

C:\Windows\tiwi.exe

MD5 9d8af6c4a88f390bbbe82e7c4fa9606a
SHA1 513e70e8862da637252ea9deda5d3f27fc0b8aa7
SHA256 4d6de1ded9bca6725ff4581b09250e3c23d41fcc7d2eb16264702c9ecf78f6af
SHA512 bcd79d30d04cedd66c67f37665860ac315bfae0b48a49257378f06bbbdb7f132860d0b2da436f6a6aaead8341d86effddd81721ea7b500b2f8c0509f1341de95

memory/2064-98-0x0000000003320000-0x000000000391F000-memory.dmp

memory/2064-100-0x0000000003320000-0x000000000391F000-memory.dmp

memory/2744-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 afe67cddd6b3ed4507f3e25b267966d6
SHA1 6b53840d21d71a5d6a784d9f1fc20d17d30ae8bd
SHA256 65d2e51081568250847751a02475b2733df70dbbb0908c526931ab16ec1d9b17
SHA512 2380c77f20f227cf734c4759c8c3c585793575534f72d006f7cc20d94309b46eb298122a40cff38dc563c28c291efc23906ea8da3a15cb99a3773a4159c22b07

memory/2064-111-0x0000000003320000-0x000000000391F000-memory.dmp

memory/2064-110-0x0000000003320000-0x000000000391F000-memory.dmp

memory/2472-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 6162837adaab212fb0c7d40b219c429c
SHA1 05772ef401784dced15b4ad98ed69353161200b2
SHA256 7d436f3f4f28d0ddad821b65eebdb7f8d81fb7079d65aeffeadb3a59237105ba
SHA512 feb9fbabc3f71ac6482420f86268117d2f8ca0d75b78caa8cbe944f9810ff03ca202175d93d931866aa21ae0f2d7b57f1243db1cb89fc4dbdce374963915d140

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 6633049a1aed49120b69c18fcac8ec27
SHA1 361641737b8be4b24f0f023ed3d615c68efe4931
SHA256 041f562ece22eeb5227d84a83d241830f52c27afd88d3cc70f59489f063a86f7
SHA512 f009fb7f5ed030b693b87557daee5d55252195db9f3093fb47b911b2d2d132be63e93f606ef7198eec243a796aa97361e1f9cf9b2369143549799f15b9e34bf5

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 7077c20faea6926f99323fd10a3e6c06
SHA1 723802b3d301187e557a9dcbf5bb75b3631e86aa
SHA256 342de109b9298fda6d098562e86ab29806ae65ff0df56cc8258181c27a6b8ae0
SHA512 c4a5a59126ca5d0efa90b2a3235d9568b72ecd66b7ff89903f4be763e271917bca9301efe867df76e71b13d5c480de666867d535bdb820475d0d1c7e3e6a8a5d

C:\Windows\SysWOW64\shell.exe

MD5 71f5a1da0764a93258c22ad54572aee2
SHA1 ab8574ffd941a363919b1a17a96b1f356723964b
SHA256 960ab4b9da31b89c9d28c1e8961d2d4532c00f833bf8a26b4f690785f1a90fc6
SHA512 76fc10607b1218da6390e1191cb81dc187354fe56cbff2f23a37ec10ead570558751c2d0369fc0ffdac78e6db3a8b30358148a4c8000ec6baede46a42eef6447

C:\tiwi.exe

MD5 bb7c08b547c86d6eec33fdfe7e28bd9b
SHA1 fe94dc79cef9b52453cc5392173ad995c4af85f9
SHA256 37de5d948eaec114b572a800c97e368517e644bf0c32d6f79476db77cbf5af09
SHA512 b64ebb89a82c9faa5b0b59c4f892098d4d08b9940b824a460ebed12633bdbe5d07889981830964bcbfb4d960b1867dbc0383517b305d73b3f4232b5d07342971

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 79f9d2aa032958f391b231127156467b
SHA1 8b8bcdd83f8a833d40c2f03eaade92ec1be073c8
SHA256 5dd066bedbbf657836f9627b7dd813579039470668f9a900b6a8ea0fab747699
SHA512 d061b54e9278c26c2b3834e54db71af64e9e2c50c2a89eed7192b1c07d2c2f1ab0de91e1460ca2139b5df31c05dd20b5f92baf4fc2168c75af89f47f97346185

C:\Windows\SysWOW64\tiwi.scr

MD5 630e543f95d02184cdb81a9b9bf6c84d
SHA1 d56ffb5201f12bcd70cfa4e76c351df5f1752112
SHA256 e6db86d13deeb478637cf330c25a17ea43da4277e14edaccbee6e94dd41dbad2
SHA512 12f402553d9d5dce23fc87f6f8aa10552c06a33b4f3c9efdae4e57d83ade0a81a644f00178b36905ca24481d71fa3ff8a8b4f50dc3004699bb3ef90fbc3cdccc

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

C:\tiwi.exe

MD5 53d5e798bd73e58a00d884c68e3c5a18
SHA1 0cd8c65dae5ebaa75829750a49a743e75b00c0c8
SHA256 06b6d588621e265000873fdc8de32043e280798408ebc1b646253331c5f3f484
SHA512 92adcc92ea6f70431c0c5f4138f7b4f1a2075328940994ee35ad0b32cde1608d338f2a98f3dd3eb19fee2b1a068a82a9b150a464ee0bd3ba59570e5b8750649d

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 3b533d48b1d5815930b06d0bd9b9c75c
SHA1 bd6d937eaa20ae319ae49a4a99b797cfbe12a605
SHA256 914dee444f8e5446e3cc007e8369e39889de73d87c6326615c9eb0d916b98dab
SHA512 2e584181bddd89eeb4dfa1c6fa5aacc546c775320d2de61b861827584f0e11ff9bd680e349a92ae0af7c9d53c808f1e0cde217a8d9c6c29d0a0eca49a2e5d8fd

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 e1665397e369cf2bfc06846deb0bfc88
SHA1 25f685463d6ab292348b0c166b177a2e601a495f
SHA256 2fba78024868aee19ca655a006de9c7b4fc4fda478502d10b7fd4a4bcfc7255f
SHA512 316d1ca212513478e5db07df34a8f2a1ef76058fd180e617cc52407b634ccdaa943e44920cc3aecc22dd73d2dc7dbd16b9758658ae524dde83893864424e3302

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 f86a75e4600584523b6827adc2eca624
SHA1 4fcf4e35f124e1aab6528e673b4cfeb6521b2da6
SHA256 d484123933be5472cf5fe298c16619c3d012a33653a41706db77c4a092a04170
SHA512 17edba8af1f53dbab4bb434f83dd6e408c032b074804ff89eb4e98aee5a3d317d7002d6269b4a050393be1d1c22a9b9aad5b0d1d76b826fae2f30460dbb350c4

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 bdbf985eeb3a00569efb1c103296852b
SHA1 810ef44e5c22a3a731fda70091cd375647a1c2aa
SHA256 a2b6de6b4762b020e1167d7696893045d88c871267da034036f5ba8b43731963
SHA512 d254ea323d1f71b9e70b420d7d46749e4963738138c0418612ac752a7a6ecd24cc4fb3cdd11ddaa1e10da49860ee4fadb79a7696df7a166d6c50546844e482bb

C:\Windows\SysWOW64\shell.exe

MD5 6905ce2edbef3125728cdf8c9ace0656
SHA1 21485f8f7887de60d4b866ca796eb12558840d7e
SHA256 9f1bf859c3aba28ded8417776d77508d7eaa94c22b4a8da5176ffd7fccc22804
SHA512 0a285ff72e88b3a0e987125a5d46af1a03ef99ac7728d2c331d7b764ac5884eb95434552ca5ce7cf757ff5d2fc79e2b9139479560443b04237edae3adf8a4192

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 e26b208f6110975bcf772f709eff412a
SHA1 cc46434bda02969260eec216a60797ff2a35ad2f
SHA256 3153cb3b546c00251bc85b8d9d9162d5b5eea0934acab7cdc57dc8a543a24f63
SHA512 74c127de4a14a6ed0067e5f3a9842b34fbae83ad97c0a605a279cf3aae7b0c7d145d4d1431914c236283d94041053414fc1bf485dd877e0f3c8af6dc8898640b

memory/2472-178-0x0000000003540000-0x0000000003B3F000-memory.dmp

memory/2992-180-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\MSVBVM60.DLL

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/1828-224-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2064-220-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2064-221-0x0000000003320000-0x000000000391F000-memory.dmp

memory/2744-222-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\tiwi.exe

MD5 02fc847613e718b3350c86435b3b982c
SHA1 3a66b870ebb30b7e728dad225e6988948b08af59
SHA256 3a0c455a919ef80b06e5aaf8c8052b99870d11e0076fb7ef667a1a47e605f3cb
SHA512 f76e1822eb2de7817bc547f107cbca2ac9d6eea122cb2f92816cbdfa0ca2998037280e31de708a2548f9e647726c48ba1a06a001318b02a2c0008d6b827d49ae

memory/2388-229-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2064-237-0x0000000003320000-0x000000000391F000-memory.dmp

memory/2388-238-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2064-239-0x0000000003320000-0x000000000391F000-memory.dmp

memory/2992-241-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2472-243-0x0000000003540000-0x0000000003B3F000-memory.dmp

memory/1828-250-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2472-244-0x0000000003540000-0x0000000003B3F000-memory.dmp

memory/2064-242-0x0000000003320000-0x000000000391F000-memory.dmp

memory/1828-245-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2992-246-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2472-259-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2488-294-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2488-296-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2036-323-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2036-325-0x0000000072940000-0x0000000072A93000-memory.dmp

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

memory/2764-356-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2064-362-0x0000000003320000-0x000000000391F000-memory.dmp

memory/2472-363-0x0000000003540000-0x0000000003B3F000-memory.dmp

memory/2872-367-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2872-366-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2828-382-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/2652-391-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2064-396-0x00000000003E0000-0x00000000009DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 08:13

Reported

2024-11-17 08:16

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\I: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\J: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\M: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\P: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\T: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\O: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\X: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4120 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 4120 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 4120 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 4120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4120 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 4120 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 4120 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\Tiwi.exe
PID 4120 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4120 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4120 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Windows\SysWOW64\IExplorer.exe
PID 456 wrote to memory of 3652 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 456 wrote to memory of 3652 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 456 wrote to memory of 3652 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2564 wrote to memory of 3188 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2564 wrote to memory of 3188 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2564 wrote to memory of 3188 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 4120 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4120 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4120 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 456 wrote to memory of 4564 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 456 wrote to memory of 4564 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 456 wrote to memory of 4564 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2564 wrote to memory of 1856 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2564 wrote to memory of 1856 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2564 wrote to memory of 1856 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 456 wrote to memory of 4332 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 456 wrote to memory of 4332 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 456 wrote to memory of 4332 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4120 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4120 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4120 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2564 wrote to memory of 2768 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2564 wrote to memory of 2768 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2564 wrote to memory of 2768 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 456 wrote to memory of 3492 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 456 wrote to memory of 3492 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 456 wrote to memory of 3492 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4120 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4120 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4120 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2564 wrote to memory of 2820 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2564 wrote to memory of 2820 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2564 wrote to memory of 2820 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1632 wrote to memory of 1400 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 1632 wrote to memory of 1400 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 1632 wrote to memory of 1400 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 2564 wrote to memory of 3824 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2564 wrote to memory of 3824 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2564 wrote to memory of 3824 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4276 wrote to memory of 3756 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe C:\Windows\Tiwi.exe
PID 4276 wrote to memory of 3756 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe C:\Windows\Tiwi.exe
PID 4276 wrote to memory of 3756 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe C:\Windows\Tiwi.exe
PID 456 wrote to memory of 3912 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 456 wrote to memory of 3912 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 456 wrote to memory of 3912 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1632 wrote to memory of 4620 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1632 wrote to memory of 4620 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1632 wrote to memory of 4620 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4120 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4120 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4120 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4276 wrote to memory of 3632 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe C:\Windows\SysWOW64\IExplorer.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe

"C:\Users\Admin\AppData\Local\Temp\a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4120-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 96491cc3d37f3c953a017fd6bb7d80f9
SHA1 9eae6f9e6bf78055de34233d46f2e07fb054c1c2
SHA256 a92d6fb8595882d070b9e9846833e238311527a4a24f39a03152434bc90665e7
SHA512 92efeabab0504d2dc7d07c607be927ea964b8229fce3574e27c13670bbc81508803efa0e9e52549e9987cf13b23f7b4fa9ef55213d7aca83f4eca3a9f7ccc8fa

C:\Windows\tiwi.exe

MD5 8eb42c4a8d5ae1ff4b59e04a870e72a2
SHA1 07641442200937ce2bdbd239b8646bbe987373fd
SHA256 d94f1d34b89b35d4cbab13f5fbdd5a49d4e53385f8539fe2753c6d49382b68a3
SHA512 5ad7d50e798e774312cd9f09dfc503638333afeb6e320f9ef2b45fa014a33e949eae39104b41b6be76f498fc98a76f45abc189f86bd1ac5ba9220c4e52b35df7

memory/456-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 1645df816282a40ffc60bcff71e6a333
SHA1 7ef3ce52eef3088737da97c0b524915ec39a70d2
SHA256 9566ab931ea3325dc13c4a575452fd459ed62a933d1405688eb8a715b3fb9f38
SHA512 4c7a9962b2b13f72356fc6409bdeb4170363cbf77eb88e2572f820f962e1cea09d17f76ee5ef4ad8a9408209a589466268401ae6f9dd02fcad10d22e5b555a71

memory/2564-101-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 211a89b15eb2d9d536da748246d863f6
SHA1 38881e75efa792aaf0db65faadc428192295a4c4
SHA256 add73ef68733cebb8d94a535e31412c0614ffa6a8a2e266dfdb435a1f7144ff5
SHA512 497fe08040936c7f1839833a15298c9a0d9f7736a56cc49119c8f1bceece533f646ef194c66eecbf445c102d7ee4ee4423069d053ba21316fc08252fbe0f1e9b

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

memory/3904-147-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\MSVBVM60.DLL

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/3840-164-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3904-163-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 00b9363bf2bf749862edd5e2d9d11414
SHA1 4f7575bd02b4fb10e5f52a2e36203e8e8bf1c882
SHA256 73a0cc5ab73b57de95e33a241cb5f52b7bf27a2ff6ff993ef79f741171fdeb9e
SHA512 623aa68a32f745c4ec913bc8a8773a61211e97e15a7387ca58ba1d5d78a6927787694869e282290a2d858f8779bb3d8874a689a2ac2e2319588d5ab1388efb2a

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 bd7debbfe3b8be0f6881f8df00b53aad
SHA1 2de40d26749d882211248ce8ab192c25e2cd34df
SHA256 f49a28e6b56b25d5489e260d554f6ab413207fcdbe1ab23201f49edb94e8d34b
SHA512 bff6142aadc76d2f36b80024b40a72777568bc2fa7c23ce4193aedb59c1cc87be2d17bc1f78f722ad08cd3d67d2fea2ab8840158c177e370eae8ea0109cfb5f1

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 96dd4c7bc1fc022bbcb1880ad8fe3ef8
SHA1 5bb3c5e5d1ea381f4495bdb58943c89b528c489d
SHA256 447ad949819f35ce96e0e5c839482305b36e75b4741876b5b5bdace87799847d
SHA512 fd45c1150a9150f8786b9e7a32c740a2f581b5450febebbd10ac31c23eb12e8dc6e9714905a0785c7b6a1e97ccb870490f11960dbdcd821e81582d4641c9e29d

C:\tiwi.exe

MD5 0673b28a35dd4c6e121a846e816e08bf
SHA1 8f906938477d2236eccee94f332cc1745f521c01
SHA256 26a57e7b69332f5f6abfb97b1811cd61ba8b384bc20d786d1477211fcc62c76d
SHA512 9189529173b5155e7ac0eab6dad3d8ce005959bb9e0d6a4ba610ab45e61cc38cc9e7fdd6ec3aa908b32f27b96da02b82302050f6f1b15bf3a6b46db63a094c49

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 29e3d0e558a1df3906cc63f96dcc4354
SHA1 e3b293f0b156a6bf847e54e76af42b7deaf209c0
SHA256 3f31cfa22fcfd1b7bfeacdeae266a021ccccf4a5181da00be72be4196a7957c2
SHA512 97c42e958fb39e7d8c214738b05b6f7c3975057e9a3b27c2e51e754a0c041d73687593b197afe364286083581e39d5f6b53c557abc6f2fea9098a58d8f7ac402

memory/3652-233-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1632-244-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4564-245-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3652-241-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3840-240-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3188-236-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 e72d853495a522d923673d41d50d7a83
SHA1 88da6c348c603358ded51f546a7d68238e73315c
SHA256 3b0cd5cdeb3f83bfd6fe75e589005e726ec536853904a92b817ab13e35340038
SHA512 ed6e19f979cd259307d7d16a972aa1457e8300888c9a8e81d840cee516f2506f391738ef26ef4ac5084afa6201941b8cf0b4ffffef0b3680b8a92d5f6c7e401e

C:\Windows\SysWOW64\tiwi.scr

MD5 2bff5aac327063eb072ba28ba42d6a81
SHA1 e6a8697acabc1d2cf93cb4359f26a3382e6330ed
SHA256 2e98aed222786ead46b0984e1e8ea12c07d3ec2061faef8fcec62668d18cc174
SHA512 2544fa03d7135309a273cac2185a79d4e8fbc7ba4e79ef4ee0be6426c9d390bb705c0978fe74d3ef271bb9753b5f481505048ad809180a2bf7481b110f25173b

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 d71fcc341bc9c23945e918712b59f97c
SHA1 ad4a2da79d6b7d0ef5de9e2e6f95794a6927f005
SHA256 ebb8fd1ec721876bfbb5847611c026623179739d86aa82abf7b576735c214789
SHA512 e64ab6c5c14109f67324b5a55a868acfcc30f5637b6252fd32a34524179a41026fe25250c95c7978ec3d3cc334c7ad5f5ed8636ab083173889a4c589c8d9c7c8

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 ec114581537b5939c3d371e942ed6ff6
SHA1 dd267dc58f4eb6e86147da981cbefebaa5fcc402
SHA256 82deea64bc4cd9e5b7b62754fde0d1a19dd7e2811b8b1f7e3f5b4b18da0b7441
SHA512 1be0313534a9883b6f732a41f2d24937d1c55526dd8a97efd9ebc0cec2d4510db9d726544b0ece33f0d03639f59a8af76d6c8901adf583db28b3d77d6c17ac65

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 d9383fcdbedb1a752e54f905f4e1028b
SHA1 7b616ee9630f571ce292cb2929a93691c4cea1e1
SHA256 286a21e47f1008ad942b5e63c744b2dac444d59aed383f1b869e8785af0eadb4
SHA512 3a7706eb9f9ae53545ced42d8635c3f7e8fbce38196f0f1d1a53253013058147caa79d040c4ad7988a236bce681acc21fdff2e549412cc5025e7e8acc151f3b7

C:\Windows\SysWOW64\shell.exe

MD5 cae87c40d36cb91d2a05abd5fd7cbdba
SHA1 3ea8b253aa98e30fe7b51ae30d151577e6db7b19
SHA256 be2480b670c089927c0a142ca44aec38960c601e6b39536a207fce8c244155c5
SHA512 3b92407231405fd10f2a03eafcb0675e2d0a5a4c99b0b321ff0b91a1a70c52d85cdbf29097016093e5791d20c4cb442f3503d6942e10078d443739709be18cfb

memory/3188-252-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4564-251-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1856-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4120-256-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/456-259-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4332-260-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1856-263-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4276-266-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2564-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2768-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4332-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3492-287-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2016-294-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2768-295-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1632-297-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2820-298-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 34244406f807ba4c44bd103c3ac85a6e
SHA1 202ac1197a5def904bcd3d3aa003cba6fa3da84b
SHA256 a48a370ef506e06a3a350bcfdf5803737678cbe3f66cc8db72404b20e3ea4cd1
SHA512 46512c4764306bffddb0f3cc81bd7b342353ee413d8ea42b28f05b2f4c97afc65eed0ba4bc2a06aff1a61e32ff86119efa2ace9f884f0f1b0e2ae756c8475b52

memory/3492-315-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2820-316-0x00000000003E0000-0x00000000009DF000-memory.dmp

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

memory/4120-393-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4276-400-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2016-405-0x00000000003E0000-0x00000000009DF000-memory.dmp