Malware Analysis Report

2025-08-05 16:57

Sample ID 250127-zczemavpbm
Target 24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399
SHA256 24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399
Tags
defense_evasion discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399

Threat Level: Known bad

The file 24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Disables cmd.exe use via registry modification

Disables use of System Restore points

Disables Task Manager via registry modification

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Control Panel

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:35

Reported

2025-01-27 20:37

Platform

win7-20240903-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A

Disables Task Manager via registry modification

defense_evasion

Disables cmd.exe use via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Disables use of System Restore points

defense_evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\S: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\V: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\J: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Y: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\U: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1968 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1968 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1968 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1968 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 2684 wrote to memory of 1720 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2684 wrote to memory of 1720 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2684 wrote to memory of 1720 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2684 wrote to memory of 1720 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2684 wrote to memory of 3016 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2684 wrote to memory of 3016 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2684 wrote to memory of 3016 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2684 wrote to memory of 3016 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1968 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1968 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1968 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1968 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2468 wrote to memory of 892 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2468 wrote to memory of 892 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2468 wrote to memory of 892 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2468 wrote to memory of 892 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 1968 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1968 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1968 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1968 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2684 wrote to memory of 924 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2684 wrote to memory of 924 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2684 wrote to memory of 924 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2684 wrote to memory of 924 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2468 wrote to memory of 2472 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2468 wrote to memory of 2472 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2468 wrote to memory of 2472 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2468 wrote to memory of 2472 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1968 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1968 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1968 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1968 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2468 wrote to memory of 268 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2468 wrote to memory of 268 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2468 wrote to memory of 268 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2468 wrote to memory of 268 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2468 wrote to memory of 1256 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2468 wrote to memory of 1256 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2468 wrote to memory of 1256 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2468 wrote to memory of 1256 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2684 wrote to memory of 600 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2684 wrote to memory of 600 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2684 wrote to memory of 600 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2684 wrote to memory of 600 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2684 wrote to memory of 1344 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2684 wrote to memory of 1344 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2684 wrote to memory of 1344 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2684 wrote to memory of 1344 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 344 wrote to memory of 2524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 344 wrote to memory of 2524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 344 wrote to memory of 2524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 344 wrote to memory of 2524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe

"C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

N/A

Files

memory/1968-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 3ee1f6b1a8628fe8f538fc06c04cbee0
SHA1 3e2717e8d5bea31fe660157fa421ca780556634e
SHA256 24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399
SHA512 36c9aae41989926ad94460d6ea8d5b98107693c1a1fa5aab3f750f29297152e07acc8f195ce8e46ef7b3e003dedacec9384d984d3ba373ee0144c6a64bc82a8d

C:\Windows\tiwi.exe

MD5 0cd678498db8e957e9f897fa92e4b021
SHA1 4184dd32528355a60db201bd01d5ea9949810559
SHA256 0430869601de1f0e28bc986afd65d7d2c2f315f547ebaa9150f24f325ba9e295
SHA512 faeb387b4ceebe196d1dd595078a9d8782325e4436ec2ee5f5417ab933f371d99c9f3f2bab1d4d1e860b5cdee7b7d98299f0a4a6045dbc5a3035a482f3ddb6a5

memory/1968-98-0x0000000003850000-0x0000000003E4F000-memory.dmp

memory/2684-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 34960b20630bc26c4ae607d155a42cbc
SHA1 36408e093fa54a8c57809e2d66966d4b5e1eb023
SHA256 83584bf1374fcc39783faa97ee6f5f37fa0d1734785b358915ffa7975b6be1c8
SHA512 adf9c0b35e472da5d83f11e7cfe4c66a3dcb5d7f7ab85ea6c1233c0e27bb05707989c2d43a979cf7399f3e6254f8cd26624342a9966434f6aca3ffac47363681

memory/2468-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1968-110-0x0000000003850000-0x0000000003E4F000-memory.dmp

memory/1968-109-0x0000000003850000-0x0000000003E4F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 47a6e30682b6c4c97ecf7fc157e78130
SHA1 535e99739a1efc4a6411c912c0a1dd1ab2119290
SHA256 32974eff2fab0d8747156597086f5f4a71fee7c56313293bcbee51e190fb5a1d
SHA512 6b91d13b84cfc41c51bc14575c6d3884562f6cc7ce966739a71b00f6807ae5a7f18d0e7a6bc085fdb60e11935b38d5deaf22bc17558b1039967fa43570362158

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

memory/1968-164-0x0000000003950000-0x0000000003F4F000-memory.dmp

memory/2940-165-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 1ef9a252d801b7b66be8727b4db2819a
SHA1 aa5bd3df0d0364cb3d58355d739bf1cc9c16b599
SHA256 43675cf8aed98d29fdf363820ebbbf5f78a8178e112c458a0cefe0b232f265e1
SHA512 eab3676317449a8bea9d2c5eba45962c03e1258f60e45ee0f82b161b7aa973d8f994dd729bae5b83c0c92661df92a4b9b73f32e6627f308bfafa2e6ffc022e88

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 7404effc4c4f968b8309910be0ab6575
SHA1 e18615b816b584a6119d867d6c24478577a3a0c3
SHA256 c5276a2c5191da1591382e7e3ce41e36a8317dcca3224add001efbefd4cdb8b4
SHA512 44ed958f72c6f7a87d13af4afc2c560494d2102bb0e01d03c059f808019e6e7244a2b2d9a8078c84d25291506f6feb68a5870c9cc6c3862dd277ed13cf5552b9

C:\Windows\SysWOW64\tiwi.scr

MD5 0c24974cd23653eb794821d4c9ff13a9
SHA1 c10b946e164f372c983d6988cba48a6619b17a31
SHA256 a7331ecbac4745dd644563d59f455d5886a7abea0c151de3571d772ef93492a2
SHA512 f3d5b5286cee47ace2c699e05ef82322d0cca44f3dc20ba6a01757abed91c19b6cf4bf6e5c2ac584c5a7b2874463cef1f73710c936029c45f54a3cc7afb72092

C:\Windows\SysWOW64\shell.exe

MD5 8d8a10ae69830601c462a42d9f5bc0bc
SHA1 ed4e015a440c36566832fd6f90bb49661beafd47
SHA256 c05474fa958c7ad0aaac917f789555ec1ee15b3e2c3056fc6924fc1d6bbe56f4
SHA512 916536ea8593e30e26fead4f729bd28c76bb9d0f6bf889e527187901acffd86a49dead878a7c4eeaf1d85dd18620eb33808613bad587604b3cf2ac8d52034db0

C:\tiwi.exe

MD5 80373df14d9072a0ca09ff907f941e31
SHA1 e99faeabd9bb6f377ab17db1baadca28d2736bb6
SHA256 90ad36b1e965acf545e9e11f7398f933fe8ddd6d7d157e15abb5d6c597b0182f
SHA512 c467b4e118670dff6dd66109cc7e97ed92a3062cc15f4ac0f2a8ed779700aa32e07d474cd77d91c6bc554a7d77a51b84dae84f66f6330fcfa8ac69c4cdff94dd

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 bf22bb5b84370120f486e902d0218c57
SHA1 4c89fe6a4ea59981aa0916c5cdaccac1f2d0e217
SHA256 80e9933314a80e4c888eef19f2c80a5f83aa1eb794e09248ac40d31bbf96ad2f
SHA512 63c9b086baf631ffdf0df3c97848bfcfc9c4ab802dc12fa08f67255a44348d6ad3cd05f1b595af2789dfa6a4ae0c8f8af1c46f7a4fd8915ea8eaf0d8bb46591c

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 8d0d214c7f9f82b436314f05d5d74a0e
SHA1 3ad6eed829699d24838c391fac3b8d1a29c48291
SHA256 aac648f4ae3c6c77a7ca318a12293a785772559303e9e81931682432d03e82dc
SHA512 4aef3890837639975a42325b31a97c9495c48bc86f740e1a043eada7fdb0f5ff6650b1ca79666b8c9b833c3d4ce9bed4e3776d60aba1cfe242780f543222475b

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

MD5 86c841cbf0c822bb28a20bbced06481e
SHA1 128874f1ce8f358681188ef1f721565863ab929a
SHA256 6060c76bbf5f827f4350573f9872d65329d55d4f0c392153ed2ec8ad9d2c697a
SHA512 0eee379b828a151c87a4b5b5f31b502936ca77469960a3d0e044c874ffe0ec77c892396f720f6e22f1d2c9a418bff4b6e329b034f6b9686991267076ee9d6580

C:\Windows\MSVBVM60.DLL

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/1720-212-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1720-215-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1720-218-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1968-225-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3016-223-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2684-221-0x00000000038A0000-0x0000000003E9F000-memory.dmp

memory/2684-220-0x00000000038A0000-0x0000000003E9F000-memory.dmp

memory/2940-230-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2940-229-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2684-234-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1968-233-0x0000000003850000-0x0000000003E4F000-memory.dmp

memory/748-232-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1968-231-0x0000000003950000-0x0000000003F4F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 84e15b48d98c834fa038023d959a709d
SHA1 6724d299ef8d888e5d09b1c93c2a8bd4567f9423
SHA256 360853aa8b9220a5f8b747f5cec99d704f43a60e1c17881d231024ff2c26e2a7
SHA512 53fa9213adc4e65fc7c7e9d0f9ea1ce0927c762082ed1fee0b1ac2da019d775d0d97083f97cc026930f95bc1f0bd3ac1319a2e36a69e9d1ce0df694c1168620b

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 0957913e1957760233f791fa0442e2ed
SHA1 fca5eb591513834958e3333e82483a05817d76d9
SHA256 d6d7b73dc1934a7a37085638f918fe9bbb2c2ffc862e18c5605c003b4b231b89
SHA512 936923ebd78dc9f82c14b3b66ce9f4421bf24340dc7c60a9e2701614efb8034bf1af77b499cb7736218033d87b354b906a30b2b790001dec1bc8acdfd8ade63d

C:\Windows\SysWOW64\tiwi.scr

MD5 684ccd569cbeb3edbbcd5b9387a49784
SHA1 c179d4dec830ac420b7a2f3fe7a4b176c19965a2
SHA256 5edb91bfa9e5e179c3c17b74483a9e8ee1d62e0393c4205f68bb906c64c23814
SHA512 3a1f066ce87cc48de62b132ee366429c89f0c85ca44fe2e2b1cda81a42ca3249c3f3dcb6a777eb56aa04dbc28adb9dd8461d164babb5d980954d0ce95dcbf2d9

C:\Windows\SysWOW64\shell.exe

MD5 f784ab4e335270fa8d784765535ace9f
SHA1 fbbb01e51fd16fed88834bc4f5ff9cc86bbcbe7e
SHA256 be47067acb04e1a62bc2f0b35db0337bffc0df82c583a72474fa071bef398a8e
SHA512 d34981638c997c00e359a97f5d0021bf4773fe1c9f2f966595c850a4a35b722d01407343b9efeaf00ce8e7af26a7be6c12746a6aadee4d5d8813784c105620d4

C:\tiwi.exe

MD5 4abfaa583d78b026aeb7a35c9766d831
SHA1 9a374caca81844925f6b937028923070b4cc1c96
SHA256 2a685dd251d29b0c896ed9090668894fed6f6ade51ab11857f28631ca9188d58
SHA512 035142830c3478a372bba9cdf83be48e9aa1fcd51b6616e50dad17185326b61b2ebe8b908a468caf82cf5c06aa3f170058bb92f4411e7f76d37e3322b5444cab

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

MD5 be47e7676966f7b4eeb32d38d51fac42
SHA1 815eba6384d1c35dd7e2a5397b9de380c8014431
SHA256 279ca667c58bd8bca4e4f4d8da394db9c0be9ff27e8c7810c911ae0eb6f8d3d6
SHA512 6703cda4fea05458650d573f7d69598907224544d8e1135c94d2bf044bfdd689c786144546446f8e64229009e8b53b4a0459bed80d0bfe5e9df68ba0364f5848

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

MD5 3f5d7af22880da6bc20197f2e36bef89
SHA1 837fbce9a6b294975266af13abfbeefca2f70d0e
SHA256 99461ad0b932f436e2847bdc772739642f5eafe118f729aa2b29642cbbcf1807
SHA512 d01a7af9ab1675cdadff50cf4d25889ffc3770b6d435913774fd9c7d5e5d2ffcc5a88b7488b7ce72141d7c1490958ed5f5631a9d3712c32daa11011b1d2f779e

memory/748-240-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3016-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/892-286-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/892-291-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 e5d463744f6f0569f25a28bcca9d09e8
SHA1 7048625e3add64528e856002d4bc13c274428448
SHA256 8a1c77e974b3317ec4982303459bb5d58918b172590e1a5cb457ccfb2c449b87
SHA512 cb8f5e4c13fb27f68508f7452af907d71a206bd8cf6423779ffda37e011f0546ae89c620d94330e965fa1fea5f2678cf92263b9ef7b2356db22aadb825cc6d57

C:\tiwi.exe

MD5 5bb080432b02e222c99bfecbf15decb6
SHA1 ebf421341c7d556b06520c2ca748279350ff054d
SHA256 2f072484c25296d55895c31a773b76de27f3a8993faf2f25fba518625070e68e
SHA512 28ac844796c39cb3dea90b9d852689e31f1fa985c1ff1abba7848e63464d25a55216cea52f26cf38d9a6a7ee88c493acb45877142ec6cb15239c7fc061015bc1

memory/2524-347-0x0000000072940000-0x0000000072A93000-memory.dmp

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

memory/2468-392-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2784-400-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1748-429-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1748-428-0x0000000000230000-0x0000000000240000-memory.dmp

memory/1748-427-0x0000000000230000-0x0000000000240000-memory.dmp

memory/1572-432-0x0000000000260000-0x0000000000270000-memory.dmp

memory/1968-444-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2684-453-0x00000000038A0000-0x0000000003E9F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:35

Reported

2025-01-27 20:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\Tiwi.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Disables Task Manager via registry modification

defense_evasion

Disables cmd.exe use via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Disables use of System Restore points

defense_evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\H: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\E: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\M: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\N: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\P: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\R: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\B: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\T: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\L: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\S: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened (read-only) \??\U: C:\Windows\Tiwi.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened (read-only) \??\J: C:\Windows\Tiwi.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\Tiwi.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\Tiwi.exe N/A
File opened for modification C:\autorun.inf C:\Windows\Tiwi.exe N/A
File created F:\autorun.inf C:\Windows\Tiwi.exe N/A
File opened for modification F:\autorun.inf C:\Windows\Tiwi.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File created C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\tiwi.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Windows\Tiwi.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
File created C:\Windows\tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Tiwi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s1159 = "Tiwi" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\ C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\s2359 = "Tiwi" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\Tiwi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\Tiwi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\Tiwi.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\Tiwi.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1220 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1220 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1220 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1220 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1220 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1220 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1220 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 1220 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\Tiwi.exe
PID 2312 wrote to memory of 2108 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2312 wrote to memory of 2108 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 2312 wrote to memory of 2108 N/A C:\Windows\Tiwi.exe C:\Windows\Tiwi.exe
PID 1220 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1220 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1220 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2312 wrote to memory of 760 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2312 wrote to memory of 760 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2312 wrote to memory of 760 N/A C:\Windows\Tiwi.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1220 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1220 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1220 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3648 wrote to memory of 3452 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 3648 wrote to memory of 3452 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 3648 wrote to memory of 3452 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\Tiwi.exe
PID 2312 wrote to memory of 1896 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2312 wrote to memory of 1896 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2312 wrote to memory of 1896 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3648 wrote to memory of 3640 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3648 wrote to memory of 3640 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3648 wrote to memory of 3640 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2312 wrote to memory of 4192 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2312 wrote to memory of 4192 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 2312 wrote to memory of 4192 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1220 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1220 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1220 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 3648 wrote to memory of 1572 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3648 wrote to memory of 1572 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3648 wrote to memory of 1572 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1220 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1220 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1220 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2312 wrote to memory of 2536 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2312 wrote to memory of 2536 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 2312 wrote to memory of 2536 N/A C:\Windows\Tiwi.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 3648 wrote to memory of 548 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 3648 wrote to memory of 548 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 3648 wrote to memory of 548 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 3648 wrote to memory of 1596 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 3648 wrote to memory of 1596 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 3648 wrote to memory of 1596 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1220 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1220 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1220 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1220 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1220 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1220 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
PID 1220 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1220 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 1220 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
PID 3404 wrote to memory of 3720 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 3404 wrote to memory of 3720 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 3404 wrote to memory of 3720 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\Tiwi.exe
PID 4192 wrote to memory of 404 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe C:\Windows\Tiwi.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\Tiwi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe

"C:\Users\Admin\AppData\Local\Temp\24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\Tiwi.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp

Files

memory/1220-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 3ee1f6b1a8628fe8f538fc06c04cbee0
SHA1 3e2717e8d5bea31fe660157fa421ca780556634e
SHA256 24eb02e63ce81512df5dd1d0256352280e520b2d774eb1b189be9946d59c0399
SHA512 36c9aae41989926ad94460d6ea8d5b98107693c1a1fa5aab3f750f29297152e07acc8f195ce8e46ef7b3e003dedacec9384d984d3ba373ee0144c6a64bc82a8d

C:\Windows\Tiwi.exe

MD5 3270aa415a6917d59f53367185e5abb7
SHA1 5ed49fff60a807c240450be47594b4c686770cd1
SHA256 40269cc64d962ada2cee0f249bed4b07c615d984ae012f8a6be1e68ef63ec4e2
SHA512 a62a24399f3b70b7d7b7556a81aab08abff6004eeed613e444606c62fe7b26b4cb5c6d3d7f44aa6b076dfc0379ba0b00d733fe84aac2561c3e8345f6ade1c4d5

memory/2312-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 2c9c22afadfba5762f33a75e39283c31
SHA1 ae638270419f1bb664f9e25008c87a605064fa26
SHA256 5fa33b36ec0c86a79e695fce8f845551638352a5a52ee73b854c3973e1271801
SHA512 dd5a61e2d00fa051f8b0a25fafd3782a2bb6e82225cb2d14875e63b0b3e58363f30a457f6ae76976d160d26ff0bd90ba27122bf56885cdbc00470db09949ed2f

memory/3648-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 55fc9f941c1a0ba19f164f374f4b1020
SHA1 fd99d32c2eba6ce0918aebb7c13152bf15260ac8
SHA256 6a3146e11df5493e48f881ffaec27197c8917baea3a0fc6b75946b5b3adef4d2
SHA512 f2f8ac7ab6b46e6cd2b053a19696057ea4510e68cdce9a18692221d285a4371dabac4af1e1fef911e767ec1303aa592e2dfbd92f6cf9a0e150e2cbd8bd037cc2

C:\present.txt

MD5 8e3c734e8dd87d639fb51500d42694b5
SHA1 f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256 574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA512 06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

memory/4000-147-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Windows\MSVBVM60.DLL

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 0262bb0e38550d21768f08275afe5831
SHA1 f54f6adefd23e190355aa4715d15f4f9b7f33986
SHA256 11399a1119df4942f27198854f6384def921dda5eedd3656ee7f34b19ebf7b67
SHA512 fc6f643fea09f0c8df66a0c4301035a4ab05d28ee2f473c6ef9ca975258eac2c99fc180fd2fb9b50630377a8c9155f99924ba0bc152caba37b92a7e575e3e07e

C:\Windows\SysWOW64\tiwi.scr

MD5 bf0517996f05a3a7630be11fed71c10b
SHA1 1f69dca51dac1e3722bd72cce92708d8af1e25d3
SHA256 411e2e0529c92c67f658002478f839ac25eb4da3b5e80222114b5debbee1ce3c
SHA512 1e018e1ae5dbccd3c88eb87322cfc6bf0ba04c3a1cf5db459cb4b2f2bb6bc4a1c156203a72b59cdaec348374a6240f87009d83ce9225e4e748ef2b7fd5a84a16

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 9ccb71b2c48321510033f5b65b46b617
SHA1 0fb724f2ed37057517bb05c3cad34c7486489bfd
SHA256 27d6facf4cbaa06bf7fcf5b29a71ee2a896ab90519a1db2afc3c24866113b03d
SHA512 62c6cee333c6b1149fa41355e94af17e247b4424e2f3eca6edc531d984081dff92388b91af682cc59fb5033c144b3340e66fee1d63ae6df513a43eb72a121dae

memory/2108-193-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4000-196-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1764-198-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2108-217-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/760-219-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 c1096e46b5872446d0a598034999b814
SHA1 8a9d20be29b6b54f3be92216257625c4b8dc37ba
SHA256 72926cb79a0612372df7ef23f92c81f4187e061dfdadf5643b964bcd468fdd46
SHA512 1e5a91b62aea7bed82bc806f97e515e6137d5cfa96c518c5c4a4cd5bc24885a5579a9cba03e65a0843f11135d04bd4bacf244cf2ca9db9fc91b133dd5f292060

memory/1764-239-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 ddef3498b14a83d3bf7af82f711a0dc6
SHA1 860967d39745fc8173189a07c43bd212ae6a2761
SHA256 54cb4638debb7a0972c94d3e36c31246b5fc2ae4283d0cb1c10fed7df7006c48
SHA512 da1298cebd286487cb92314c652853042d818319d15002ce5a1f4fcd4953b52b11c7b9d18893949bcae2693632ff3c5146f563a349d51d858fbe6e765344aa61

memory/3452-258-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3404-255-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/760-254-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1896-264-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3640-269-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3452-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1896-272-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2312-276-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

MD5 542dd3ad0f904288f527cc33115dfb1c
SHA1 b810e723c4f7177989472b68aece37c60861d174
SHA256 e1250d42f530a2cfb917908c6d3648946a8b20aa7312f37030f2f8ed58375d0c
SHA512 e63e382e3cfc91c5976df59d6c5d209ea5e20d9ee7716f6ea5737683616be82950a38f2e8a5e6c253d87424ed44c431a0ea220a199ac2b13633fb91457d0de68

memory/3648-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1616-280-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4192-277-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1572-288-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

MD5 fa0bca404a7457c1bea188c1bc84516d
SHA1 9008a5e3c710b05b157cac20fa989a5a1e46ca4a
SHA256 cd301c07f900c74a03587e896a692692144a086d68458fadf9a199b5e66eee72
SHA512 8613e1ddcdad772d5f6cc97c479d8228ba03c9c08b7530f3b5b530eb54141e40fe8fea5fda2cb124965d03b2c9b1a214ecdb2d51c204ba01f8f4a451262fb789

memory/1616-291-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/3640-285-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2624-303-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2536-304-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1572-309-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2536-312-0x00000000003E0000-0x00000000009DF000-memory.dmp

F:\autorun.inf

MD5 415c421ba7ae46e77bdee3a681ecc156
SHA1 b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256 e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512 dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

memory/3404-367-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/1220-379-0x00000000003E0000-0x00000000009DF000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 8ef1b206311b65e1c5dff5a0a75d0656
SHA1 d56ed04758370fa2856a99f64a5b4f4bffdfc167
SHA256 cb899ad61cc44c006d2db7f8e1172ad864c05b37fa105c19be783431fc2c18d2
SHA512 62929cabe28bf35169c6e97aafd3045500f2ec0f698bf50ac7b7e2dd78e8d62aaad2ce0acf78c83d6a2fdce373c7a887ecdc9a674642af38add406db18bcaec9

memory/1220-262-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/4192-423-0x00000000003E0000-0x00000000009DF000-memory.dmp

memory/2624-424-0x00000000003E0000-0x00000000009DF000-memory.dmp