Malware Analysis Report

2025-08-10 23:23

Sample ID 241117-kcp4mavmfs
Target b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474
SHA256 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474
Tags
discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474

Threat Level: Known bad

The file b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Disables use of System Restore points

Disables cmd.exe use via registry modification

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies Control Panel

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:27

Reported

2024-11-17 08:30

Platform

win7-20241023-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\E: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\V: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\Z: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\I: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\O: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\N: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\M: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2404 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2404 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2404 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2404 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2740 wrote to memory of 1952 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2740 wrote to memory of 1952 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2740 wrote to memory of 1952 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2740 wrote to memory of 1952 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2404 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2404 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2404 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2404 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2740 wrote to memory of 2396 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2740 wrote to memory of 2396 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2740 wrote to memory of 2396 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2740 wrote to memory of 2396 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2404 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2404 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2404 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2404 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2520 wrote to memory of 2156 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2520 wrote to memory of 2156 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2520 wrote to memory of 2156 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2520 wrote to memory of 2156 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2404 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2404 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2404 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2404 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2520 wrote to memory of 2312 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2520 wrote to memory of 2312 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2520 wrote to memory of 2312 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2520 wrote to memory of 2312 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2740 wrote to memory of 2228 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2740 wrote to memory of 2228 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2740 wrote to memory of 2228 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2740 wrote to memory of 2228 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2404 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2404 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2404 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2404 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2740 wrote to memory of 2668 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2740 wrote to memory of 2668 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2740 wrote to memory of 2668 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2740 wrote to memory of 2668 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2404 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2404 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2404 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2404 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2520 wrote to memory of 1668 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2520 wrote to memory of 1668 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2520 wrote to memory of 1668 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2520 wrote to memory of 1668 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 2520 wrote to memory of 3048 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2520 wrote to memory of 3048 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2520 wrote to memory of 3048 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2520 wrote to memory of 3048 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe

"C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

N/A

Files

memory/2404-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 b0be3102b32edd9264701e3d79b815c7
SHA1 08b6c5c0256fd6475980744d5955a59a739eb87d
SHA256 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474
SHA512 58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d

memory/2404-98-0x00000000036F0000-0x0000000003CEF000-memory.dmp

C:\Windows\tiwi.exe

MD5 a32bd001152a4efa75d759f30e3c5681
SHA1 7734b32963b987ed66d5352808da6be9bda6fd50
SHA256 92c85d9372a8f6cf5fd2c1175322ee88e30f8b191d869240ae4f60e348db1e97
SHA512 19f5f49a659c703c7eae5f9a3ea9f2385264c939f56ad87f9785e4fb9e9ba5b5bc38472126e6bc805d3424c0b1d168adf9f8cdcb6bb27e29043ff283fb89b5a6

memory/2740-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2404-100-0x00000000036F0000-0x0000000003CEF000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 ce759bd98c56b64463ede3bf3f33df57
SHA1 e9cb6bf61369a77926cbfea9853709c4201ffdff
SHA256 68155b74d131d5992e55c1774cd73761463acc60ca97abf33bba429a90ac64a6
SHA512 dc6b6af1d643e88f53ee79b6a6ad958f04976553e3c9184a4c7b232521972d006c6f63241df5c8933ac21dbe1504cc9c22d54b459c88b155311bc380c0611641

memory/2404-110-0x00000000036F0000-0x0000000003CEF000-memory.dmp

memory/2404-112-0x00000000036F0000-0x0000000003CEF000-memory.dmp

memory/2520-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 090877d9c1c842142912cfe633bdf2c8
SHA1 158ff7652f9a1c9825458849aecfffa9934aa522
SHA256 ba2fe8c0ce0768b09a264cc58395d1e8b6de41f7aaa07ac8f7743277b707b5a8
SHA512 018374917ade2d5b36076d7ca2b56db95a5a20202d21a6fdbc234990be4ca82751ad966e79571528bdbceab50ca3a042601d6531821b5a0ae5c037cb40d6c23c

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 326d243250dfc5fe63da5b78b70bc716
SHA1 666096dafb6dd12de38fcb190dfd0fadf29d819b
SHA256 9bd43994ca6f32dbc75e68c73085eb0b7d9fdfe28c593085a93aa9717a26d37b
SHA512 aa3d6eb5873fe9f9277d5d944c66525dfd28d0685c124f4e2601182f3f060d9b8f9821a5fe49332c304a1c60d45a5be05e4043def08da9dec65c9e1be151258f

C:\Windows\SysWOW64\tiwi.scr

MD5 351afc7bee404b7bf0d58833b530be22
SHA1 9d2e10703c43163d799d07f9b171a1858ab16f65
SHA256 78725526ece54f68df207cb7b688475f658f2eeeb200ebf075814ca3bedf3a3f
SHA512 96915ed107f75fa49dae0c8b72047ef11782994f3bc8234b90927afc334c696c5afcce644fefdca6b23551894c60f49d466ae7ed2bbad26ad6157ed3d27dddee

C:\Windows\SysWOW64\shell.exe

MD5 0060e3f52f38813ab4b1145f1c2e61ab
SHA1 912934d3dd6192fb586c09ad840cf1f5faf852f8
SHA256 b4af52539447a9d170e50db13c2085b56fb9513ef9b42d491589b32edca5ba56
SHA512 2b0f43a37f5e6c2f686955c9ce8c85747c55815f8f6d63f05c7de14a543183ee650a0bd4a5d8e78b7c25fa720b5b5d947cb81e9a09adf05817d3e41b4ad3a36d

C:\tiwi.exe

MD5 b56414214748f9d28ca538109637e6e1
SHA1 7df00d8199266c429f7e2ebe0036857fac36841e
SHA256 65a0ada34732488a094a574a877f3ed02df9ef3a0694ebb0fd432cec420e27fe
SHA512 d7383ffedd8be0e13d9dc5bc2a1fd821fa963f67ffca174576a5b2da305dc204171ec36b05aefcae5aa74fb168a8d95f3366538d8047a46c5c8a186f9dc5d59f

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 15bd0b5e1783570c99fe22aae51342ed
SHA1 176c2442ee85e5ff97c32a5616c183bf969c3406
SHA256 1656d9800a0cecaf3e02df72649e85f0085cc7a633b060a061f70b2b93964592
SHA512 1b1fd89916422bf2e8dba866caa695dae0e079e80bc22bcc1be6ba1b4b09c3818d7a811621b2416405007d4c01ab7c50765da65bdb05a67179c6fb5a1f4d40a5

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 bc7ea5c7e2f396c1657fffb7994255aa
SHA1 d2c9b836e59c3e8ecbcba7f8c036c48c04eceba1
SHA256 bdd597f815b80d817091750da96e32435b5f909e50e73d08276b09f9652008f2
SHA512 02be12ef8c313a9a9eb95fb9a3a3556a718e9f828006184ee4e256215eea56b70e58e0eeadbe1e81d4adcce7bebb2efb449f98a727d34607e3475c48770bfd28

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 5cec5f0a046b514ad9ac38d271e4afdd
SHA1 96330f99273065b51af64a3d7feeace400a63231
SHA256 89377e2d3639c985e3cf9a9e4ecc35790ee142780a5a5bcdbbcebd32ac5414fd
SHA512 3dd8062fc5a08013651adeb53ff4ba13a774e04dd2a99b42a6733e61d785384c04063501b40153e9036b600612bcd0938d493027e897a9d389b151c60c113ef4

memory/1952-158-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\MSVBVM60.DLL

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 25ca7db8d6fa75423e56ce931e022e67
SHA1 4a8bd5b89c646d9cc423279b7c735b7a49509658
SHA256 aa8bbdb780c316e493ca67c3b0967cb3f8411498d5a8d267889be95b07f9aed9
SHA512 db4e85154c6491a086e712adbecfe5bcb387295bc7c5143fc7686b73708490f2190874f4139f3eb6fd5e492fe8f796af207465171ae143f37a152c466792a609

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 d2b09605bc0f0a9bd7e2679e5ca80f33
SHA1 0731aa29ff9289913941d19de5f9ea9cfb1d4901
SHA256 6815469edb0ed5548dfe86c03093ea11b1447ced841f00db2fbeb5b55b39a3f6
SHA512 ddbc4eea8d0fce63e5d7127a88355c06647d0225e66debde7a980e9c283e67463b591e445e5659c9d577adbde25c7a2af5ca8b15fdffb673057b17d82c91643a

C:\Windows\SysWOW64\tiwi.scr

MD5 e4f6ed8488bf167c7def663e7fde1fc9
SHA1 54d698a655435112c947281681151d2a62282ed9
SHA256 0e08a351f1149f99c82ebfa701753477f258e32e9a64fa34d087d9412e296b14
SHA512 adae634ffa0b6277dba9db863a5ee3980eaeeb9ced709e4a939bfa3636f22121e5d9965024bc2d9b6c1b624d1cfad4b81733830b52ad2fc1b34e9323191b8c3c

memory/2404-207-0x00000000036F0000-0x0000000003CEF000-memory.dmp

memory/1368-212-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2740-216-0x00000000037E0000-0x0000000003DDF000-memory.dmp

memory/2396-218-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2740-217-0x00000000037E0000-0x0000000003DDF000-memory.dmp

memory/1952-215-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1952-214-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2404-226-0x00000000036F0000-0x0000000003CEF000-memory.dmp

memory/1368-225-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1368-224-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 3bbd6647f7d24e65f286b2b8177127a4
SHA1 f7cf5614f0e0afc0011c27e6fade598efbed1c92
SHA256 929e96344a5c046fd8ed1592f7f53f444d37402ff210f1996bf2775127f933ad
SHA512 b0366cda2d22cbd7dfd32026737190b1014da45a22791d8ce6e9e66085c8762a825795a24b56bfd5a2122c795f11d57385300dac7c8588283c2486a84c6cbea7

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 3557620cd6ab2144210fae3ed0cd1827
SHA1 7db125c897d51760ba75918cbdf119f48112fadb
SHA256 6c1e1ad772f5f0f56130da6ce0a68950e0cd8d99e7a6755eb645f0bab7b7be53
SHA512 5c22f38730cd5f90dd9702ecc7dbe8222efae7d6691e0c5267131a86124590ee3a8446cf199fba116f51b3eb5e5aed236bec3952d9b1494b9a47dd50bf16093d

C:\Windows\SysWOW64\tiwi.scr

MD5 f75f0b6ed664e341fc47430a01152a11
SHA1 cc0c1329df5ee77ff9bde5105022694d3d0e39a8
SHA256 06691ef65e8535139a8ea60ed9399b4a5a91bf740a4980245cdcca0272218695
SHA512 af4e8d6f209c92550de253c553b6b0788274fe14a6d1af83a7eff0496279b1827f3ad43d0bf933f8d5db6ad1da0fac274e308ed0fa89fb9cc45eac9745b66a72

C:\Windows\SysWOW64\shell.exe

MD5 ab15918c976b1884d52c2500db049fd2
SHA1 d3d648d224ab8930006175169e36e5282ce3e800
SHA256 fa477bf6fdec992251a9f1291a79fb06a189c9ddbad5ee45f16f2d9817de05b0
SHA512 c6b5f75ff439d6ffd4e16672b4931061a70835673cea057e90bd96377d84aa0d49ecb0c2c09423b27a1734e3e2bd5156b3de54bb4c9da1fc001971743a354e20

C:\tiwi.exe

MD5 ca87226c8c2120428eb8890cd9b2fa8c
SHA1 19bd86a1317d8bf5c6f047ccc82b3b43db15b545
SHA256 c8caf94bbcf1e35c45b40d5e485f9ca74df5121a3f1a4a4a81448ff5ee67ecb7
SHA512 cb0774779a5c2f5a957ec8b3a374e0d22523f56776b38b94f14a952d35758c4a8cac6fa78a1eecd0b2c1581f25589e479dd8b41f82f88e68cf2308e890273805

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 b10bf64ad9b13908783b5d545343f703
SHA1 00adb3183f8cd0bd62a0d017aa499403a606e1c7
SHA256 fe8ae222ab1a409b28719577d512dd7530d207277ac10b7e854d64a4144afe64
SHA512 b19350ec9ef3c59dc3ecc8edde535ac0fd1697fd693dec07b1a64816daecfbf554083076a86448b5aaefda6d3987c51e876386dcd9914df56cd706b75539e075

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 f040e3e4d4f81482dfbec84c848aa2d1
SHA1 d0520bf48642cfd77d6fb7bbd3228f514dacc703
SHA256 23227aea29be10f2139e287d44e9ea44146264010654ec6d30a8dcdef22f393d
SHA512 a64757fc76672d504cedca9dd21009b28956dce83c6220db11cc800c77c84c985e882945483f8e65d1da2ed66e93fc1864c74f45a0fcaedc711690016e803178

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 8304c36369390a06ae099f9c4cf2639f
SHA1 d9226db34cb6b43843c153a544e2690f61886d9c
SHA256 17676b4ef64b2f7e7c686c5a11ada95144499b821ee32a9e41c5c2e94f920cf6
SHA512 63afd86e2949d786db4d450522882ec61cce97af035e8d0a350548a79c191df55c9e24ddb05d19e99f2a376ecdff9c4bf83c309b02f2b3b742aa2eda31a03455

memory/2404-227-0x00000000036F0000-0x0000000003CEF000-memory.dmp

memory/2396-283-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/768-270-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/768-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2228-296-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2404-299-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2156-291-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2404-300-0x00000000036F0000-0x0000000003CEF000-memory.dmp

memory/2668-331-0x0000000000300000-0x0000000000310000-memory.dmp

memory/1668-329-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2740-337-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2404-338-0x00000000036F0000-0x0000000003CEF000-memory.dmp

memory/1732-341-0x0000000072940000-0x0000000072A93000-memory.dmp

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

memory/2868-384-0x00000000003C0000-0x00000000003D0000-memory.dmp

memory/2868-383-0x00000000003C0000-0x00000000003D0000-memory.dmp

memory/2872-389-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1508-425-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2404-424-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/708-422-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2520-426-0x00000000003E0000-0x00000000009DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 08:27

Reported

2024-11-17 08:30

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\H: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\K: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\W: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\M: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Q: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\U: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\G: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\R: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Y: C:\Windows\Tiwi.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File created F:\autorun.inf C:\Windows\Tiwi.exe N/A
File opened for modification F:\autorun.inf C:\Windows\Tiwi.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File created C:\autorun.inf C:\Windows\Tiwi.exe N/A
File opened for modification C:\autorun.inf C:\Windows\Tiwi.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2424 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2424 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2424 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2424 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2424 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2424 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2424 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2424 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\Tiwi.exe
PID 2420 wrote to memory of 4244 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2420 wrote to memory of 4244 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2420 wrote to memory of 4244 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2424 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2424 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2424 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2420 wrote to memory of 4732 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2420 wrote to memory of 4732 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2420 wrote to memory of 4732 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2424 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2424 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2424 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2420 wrote to memory of 2056 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2420 wrote to memory of 2056 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2420 wrote to memory of 2056 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4048 wrote to memory of 3300 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 4048 wrote to memory of 3300 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 4048 wrote to memory of 3300 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2424 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2424 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2424 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2420 wrote to memory of 3676 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2420 wrote to memory of 3676 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2420 wrote to memory of 3676 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4048 wrote to memory of 1560 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4048 wrote to memory of 1560 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4048 wrote to memory of 1560 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2420 wrote to memory of 1060 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2420 wrote to memory of 1060 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2420 wrote to memory of 1060 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4048 wrote to memory of 2684 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4048 wrote to memory of 2684 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4048 wrote to memory of 2684 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2424 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2424 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2424 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4048 wrote to memory of 5036 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4048 wrote to memory of 5036 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4048 wrote to memory of 5036 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 4048 wrote to memory of 1172 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4048 wrote to memory of 1172 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 4048 wrote to memory of 1172 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2424 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2424 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2424 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 688 wrote to memory of 3992 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 688 wrote to memory of 3992 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 688 wrote to memory of 3992 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 1060 wrote to memory of 3188 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe C:\Windows\Tiwi.exe
PID 1060 wrote to memory of 3188 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe C:\Windows\Tiwi.exe
PID 1060 wrote to memory of 3188 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe C:\Windows\Tiwi.exe
PID 2356 wrote to memory of 2440 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe C:\Windows\Tiwi.exe
PID 2356 wrote to memory of 2440 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe C:\Windows\Tiwi.exe
PID 2356 wrote to memory of 2440 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe C:\Windows\Tiwi.exe
PID 688 wrote to memory of 1616 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe

"C:\Users\Admin\AppData\Local\Temp\b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2424-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 b0be3102b32edd9264701e3d79b815c7
SHA1 08b6c5c0256fd6475980744d5955a59a739eb87d
SHA256 b247aea9e20ade414c8040a36758eb7a6b1fe28c444864c9d40e8100fea09474
SHA512 58807be09a297c1be232cd304f68e6e3d79f088407a82254966d4c0e4327bf4bc89bd9cd23d239b2581dd0c985ac154c4631437528f785a527f5f74bd1364b6d

C:\Windows\tiwi.exe

MD5 9e04bfb20749015ea9449f34ad60ff7e
SHA1 b45b665450337387c6cb55f985564cadeacb77e5
SHA256 c4f4d70a24d04540facbab7bc13c2f58f48066f31df2007be81584a31afa2f3a
SHA512 9df2ca2dd381f3c798671e9740d782606c5f73180c36f9c828a91dccedaa2a7a7ad950095569a72508917fba25f6656f52dbecd7bb61e2f059626bf3208318e9

memory/2420-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 027f07517d0285d4b81c371888cc9756
SHA1 ad4565b7e461c8dfb08fd6f125727fc1066301e3
SHA256 bd18659994f8867ce14ade8dd51614856c1cf99a1c8f7076d23f3e5616d49442
SHA512 ac5aa6c4b297ad93af110380b33565612d56cec5537908a365ede49b841999fc43ca855432eec0e0ad4ba6f232d40ac9fb25a1c8b3b025e63ad74d43b7ce8558

memory/4048-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 d99cc5763f63569617ea1c5a292e35e5
SHA1 98fe017a3c5db78cdbe8bc9128240ed08af45ad2
SHA256 236c2875ea3828c1536117212a8474bd3649d54907cb4e55e3c485da1a6fe990
SHA512 aee29add9ecc6370c26dddb893ab59b24f0628db9d8605dbbb92e64937640621de6c90e562beb6c357724dfb5e8706ac8da298a7ac8db9099a3432a36d01541e

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

memory/3240-147-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 152f9c3985070e16de3bf864f648e358
SHA1 9f6f2749a9979de8d4975f61f82341e28a5d7692
SHA256 e4b0ed86c72a3e0cb32716c9a90ddd8b370c12722fcaac41c9eec171613d82fe
SHA512 1b1a02e66be2ed918790e72c95e958339958b67b20308c0503f30dd5198359ce20cc4a3947c748ac584e08fb0b631c650e90c5cb5cae701d6e888fc97da37671

C:\Windows\SysWOW64\tiwi.scr

MD5 bb9211d60a55ce4a21130baa20ac110d
SHA1 0aabeefe7bbd668fae2e6cf92268809831ba91f0
SHA256 7464ebf6dd75fc7d826490908cd7676740cf61d3b19246d99aa25d35c6c3576e
SHA512 b4ea21627323a6c95432211081b928a97a56ee23efac479a23b76b7c120f2d8900aef4a71773f98095eaf5206d20296f78ccaef1e7cae122584602829beca149

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 f11208c59165a15170480d46b7f60723
SHA1 dff6dfb6f495a27ba8ed51a8e58f9c0e9f0d095d
SHA256 79036533e9bbd2af2b6c929fba1b17bbd0efc93c646f6eef6c5aaabf64c679d5
SHA512 7f4efcfda3756ea757a5d422c94a7721ba2fcfa11598ead60fff3075d56c72ba95f44361876a810a45efdc6c6399c79b66d6d89a8705a5628eb77ee6adb82185

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 0990c384d04399819af22651864d126c
SHA1 8df2bbc2c51252e616e996795efa329d965f8b81
SHA256 79224bd18da006981f12ca1941ab752e93656a348a16096b8b5809f3298d3a99
SHA512 5d05872d3781fcb9868181722a24b25b29cd3819ceba16ffe45dc6b53650148c6436db748073b24ccc4e01af88f4724713f28365e44a23cc2d6cfcd0228a6fa7

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 600e1203b8dd0ed57316f877583ea6e7
SHA1 a9669fcd8cf0994d6197c0724323ee59046afb4c
SHA256 1d89685f3297266704214190bb672ad3579d404c786cc50fc57ba4ba9bc7524f
SHA512 840bd4ae405be033685b248275e2804aaa7cae76ebe9d72bea03bd291e78f9083c6060e037a3983b4567387129dc43a98c3cdbe95203e021f736b0bf9231a2d0

memory/4244-191-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\MSVBVM60.DLL

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/3240-198-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4244-202-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4732-203-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 3cff5d83ffab0c1cc287716c8f1eae58
SHA1 a1cbe21e67775c376c2f4306dc8938aafab735e8
SHA256 2260d1aa28444d03c2055b5a158ccd5b678e631929ec520c0d547551b727163c
SHA512 4a22880b07c66674d52ea2c2cc1e77395f0143a28bebe37d76604fce8eeeb435b98bffa383bad646cc3cc6ce4e6010c7ca61417cf7fa64d5acf6575f8fe4a6a9

memory/832-207-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 8c0b47e262293a18c06dfc00da233283
SHA1 7969d6216878d6e5f1595baec518fb207000f7eb
SHA256 c34e4c85463834526a83d05b3195b4696ee2940a37a458919ab91898b3e1463c
SHA512 92797ad8d1954531d9a549c9f832d56ad035caa744f33c097887b05e51287810356ca960392f32b34416af9d81b5452935d1d7961cf8e645725f9ab4fb2fec3c

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 ddb0e5ac8ac01deaa8fd87ac8230ec93
SHA1 850310df5d7b6f0a00ce1aebc3d69315f433db92
SHA256 35a0bdb8ba21d8333f943d96a6645950b8ab95d38309359ee2e888c27a973190
SHA512 5fb1814e691dd8fe68e48b0caa13436bd797432a34313a4bcb8815074ab3d170f223b4f543162cde25134c086cc5d2c24a969ae730254bbb8e53b24ff1fe84e2

memory/688-224-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4732-225-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2056-228-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 3ebd5f4f595c5b702cccf79972cc5add
SHA1 4498f9ecb52157252504cd3d4847ebd5cbe65a6e
SHA256 05c42a53f844e9c040c2a3578d5591eacc88556af4fa577ac56bd557f947f2af
SHA512 1e78ed8ba179bdf5edd8d1b8872c20352afdb282395d1750dbd5d7ecfda1a37ac40002e48b69030eef6050ad9f57a515b6f5ec7da185f254622813d1fde86b37

memory/2424-254-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 29dbb307e51cc263748a81f4e2451489
SHA1 6e1b5b47c06046e6f7dafdfb2e61b74d3c71e5d1
SHA256 a24e2e991df84f7d675ad576c304ac08ebe5a1866938412f1579af4aec9a85ec
SHA512 08e0f5e7f2d177ed2ac25eacd40d1d6b0872b60e2a602d611e6f5c4385b0cf41156d3c9288e2850e6ee9f6a6ec1074c48e690ad9bd65c8cb23d6dc37b4fb289d

memory/2056-263-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2356-264-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2420-262-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3300-261-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3676-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4048-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1560-282-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3300-283-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

MD5 1b58247907706a6036549bd2ed5ad049
SHA1 e1873e9d8f6161e424d137c5f4063a3a8a56f4c2
SHA256 6f66315d3501ab0b60c300f0d39d08965f2787bba64e053a8be695abd982f87e
SHA512 c65b86c2b690830d2d91e4690ea4e02983ead1f5b7eb1b02ad4cb70325e5cd8e4296b8445feab4571c71033c1c398bd8c12bb32fe0ee0a2d5ea4da1415c138a9

memory/3676-286-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1060-290-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1560-296-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2684-297-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4436-302-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2684-301-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4436-307-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 db24234e2b2452487414f42f9a598b2a
SHA1 5893cd9b681a4c1c048e6b4c6a8c2c040147defe
SHA256 e1c0c3dd4b982527f56e2cba4300dd93b71e6312f7014f023df2721e4fb1661d
SHA512 5038d55e7c30fefa4cfd6e3cddee5ea61001d803467630ce8e9ebf7371715b0d234d0df88f6d615cb636ddb6b61ac5d850c8b84d2c032a739103c5f8b8a70af1

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

C:\Windows\SysWOW64\tiwi.scr

MD5 48e123848fa5d91b382d49bcc202c105
SHA1 b064095b5b6e7e8b7f366978f22394fa88a9e445
SHA256 b00e51150c595f041b9cf992a974542f14d14e217856055551ad6204612744df
SHA512 29d453e839a4fdceacbab4d96db6e26a2e8273b5ba57d239c15aad76c7c89df088a0b6b7879880666bfec5179a08b399defd0c67142de5aaaa3cedaef705e7a6

memory/688-363-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 8638a33cbafabf9d668f435709ab8f4a
SHA1 5d7806dc40c76b30428437baae89351ba3d79f19
SHA256 b560a16427a23ed535c3221d4bcc27c33a0a06cb90fa62ae1dc346dfe0315428
SHA512 d5e4e2bad27d53b1c7b7161c4e62358a5c1961fba465234d76b276051fd5d765db3ecca77a334fb78c1c026d335c6aa7b9f566858c0733a3fdcef626244a5d99

C:\tiwi.exe

MD5 e69508e2c5823491be42811dce2ac4e4
SHA1 3a6a80201b50a45f0f98f10bd92923a24b01c099
SHA256 de0abd5bf56925987d3fa75860b6f4e2ba3f7d19993b29c2ab69a31d29cedfac
SHA512 55cb335bc7ec205541a5bd333e5d161ce2d69d9203a1e45b70a990ba4c4456adb6ead26e02921e4ca6e2d53a33a83d5a0989ecfdd88f4141ece4a59b61019ab3

memory/2424-420-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2356-423-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1060-424-0x00000000003E0000-0x00000000009DF000-memory.dmp