Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28/04/2024, 14:40

General

  • Target

    056b173fa9ff84e06fef62a4ad9b73d6_JaffaCakes118.exe

  • Size

    196KB

  • MD5

    056b173fa9ff84e06fef62a4ad9b73d6

  • SHA1

    f8d81e1aefb34ba4b18a4a193063dd12d0fafd4c

  • SHA256

    3a5cbd8a04b3085328507e7d930dd82ba57c5c62145d94ed749a4c80e47b9a8d

  • SHA512

    51732668acdaeba5077cd7122960c254f85d12078ec49a8501a9b354370d5fe1574c5e1b47f7905243106aa7ff5ff68c00f62a7155de82e5eece48c41e7aa890

  • SSDEEP

    3072:ZGBT753Q+RgWgMlIx1ZiXjb6aEF6D0NM9voeLNZ3mEld:Y753RgWg4aAXjb6aEFfooeLNZB

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 52 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 19 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 19 IoCs
  • Disables RegEdit via registry modification 26 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 26 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 64 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 20 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 26 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\056b173fa9ff84e06fef62a4ad9b73d6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\056b173fa9ff84e06fef62a4ad9b73d6_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1576
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies WinLogon
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 372
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2884
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Disables RegEdit via registry modification
          • Disables cmd.exe use via registry modification
          • Executes dropped EXE
          • Modifies system executable filetype association
          • Adds Run key to start application
          • Modifies WinLogon
          • Drops file in System32 directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2952
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 392
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:1932
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious use of SetWindowsHookEx
              PID:1912
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious use of SetWindowsHookEx
              PID:948
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Disables RegEdit via registry modification
          • Disables cmd.exe use via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies WinLogon
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:2744
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 400
            5⤵
            • Program crash
            PID:2176
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetWindowsHookEx
              PID:1668
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2720
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 376
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2536
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2648
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2964
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2256
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2388
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:596
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:272
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2412
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1740
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2300
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1756
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2612
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 320
          4⤵
          • Program crash
          PID:568
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Executes dropped EXE
            • Modifies system executable filetype association
            • Adds Run key to start application
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:3060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 392
              6⤵
              • Program crash
              PID:2592
              • C:\Windows\SysWOW64\Shell.exe
                "C:\Windows\system32\Shell.exe"
                7⤵
                • Drops file in System32 directory
                • Drops file in Windows directory
                PID:2228
              • C:\Windows\SysWOW64\Shell.exe
                "C:\Windows\system32\Shell.exe"
                7⤵
                • Drops file in System32 directory
                PID:2804
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Modifies system executable filetype association
            • Adds Run key to start application
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • System policy modification
            PID:1184
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 392
              6⤵
              • Program crash
              PID:2140
              • C:\Windows\SysWOW64\Shell.exe
                "C:\Windows\system32\Shell.exe"
                7⤵
                • Drops file in System32 directory
                PID:704
              • C:\Windows\SysWOW64\Shell.exe
                "C:\Windows\system32\Shell.exe"
                7⤵
                • Drops file in Windows directory
                PID:840
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2108
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:536
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2260
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
          PID:2908
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          3⤵
          • Drops file in Windows directory
          PID:2840
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          3⤵
            PID:2928
          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
            3⤵
              PID:1544
            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
              3⤵
                PID:2616
              • C:\Windows\Tiwi.exe
                C:\Windows\Tiwi.exe
                3⤵
                  PID:1872
                • C:\Windows\SysWOW64\IExplorer.exe
                  C:\Windows\system32\IExplorer.exe
                  3⤵
                  • Drops file in System32 directory
                  PID:1568
                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                  3⤵
                    PID:1752
                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                    3⤵
                      PID:2756
                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                      3⤵
                        PID:1404
                      • C:\Windows\Tiwi.exe
                        C:\Windows\Tiwi.exe
                        3⤵
                          PID:2884
                        • C:\Windows\SysWOW64\IExplorer.exe
                          C:\Windows\system32\IExplorer.exe
                          3⤵
                          • Drops file in System32 directory
                          • Drops file in Windows directory
                          PID:340
                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                          3⤵
                            PID:2748
                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                            3⤵
                              PID:1128
                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                              3⤵
                                PID:2140
                              • C:\Windows\Tiwi.exe
                                C:\Windows\Tiwi.exe
                                3⤵
                                  PID:1928
                                • C:\Windows\SysWOW64\IExplorer.exe
                                  C:\Windows\system32\IExplorer.exe
                                  3⤵
                                  • Drops file in System32 directory
                                  • Drops file in Windows directory
                                  PID:1696
                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                  3⤵
                                    PID:2252
                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                    3⤵
                                      PID:1864
                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                      3⤵
                                        PID:2072
                                      • C:\Windows\Tiwi.exe
                                        C:\Windows\Tiwi.exe
                                        3⤵
                                        • Modifies WinLogon for persistence
                                        • Disables RegEdit via registry modification
                                        • Disables cmd.exe use via registry modification
                                        • Adds Run key to start application
                                        • Modifies WinLogon
                                        • Modifies Control Panel
                                        • Modifies Internet Explorer settings
                                        • Modifies Internet Explorer start page
                                        • Modifies registry class
                                        • System policy modification
                                        PID:1132
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 376
                                          4⤵
                                          • Program crash
                                          PID:1104
                                          • C:\Windows\SysWOW64\Shell.exe
                                            "C:\Windows\system32\Shell.exe"
                                            5⤵
                                            • Drops file in System32 directory
                                            • Drops file in Windows directory
                                            PID:2796
                                          • C:\Windows\SysWOW64\Shell.exe
                                            "C:\Windows\system32\Shell.exe"
                                            5⤵
                                            • Drops file in System32 directory
                                            • Drops file in Windows directory
                                            PID:1816
                                      • C:\Windows\SysWOW64\IExplorer.exe
                                        C:\Windows\system32\IExplorer.exe
                                        3⤵
                                        • Drops file in Windows directory
                                        PID:1896
                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                        3⤵
                                          PID:2584
                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                          3⤵
                                            PID:952
                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                            3⤵
                                              PID:1972
                                            • C:\Windows\Tiwi.exe
                                              C:\Windows\Tiwi.exe
                                              3⤵
                                              • Modifies WinLogon for persistence
                                              • Disables RegEdit via registry modification
                                              • Disables cmd.exe use via registry modification
                                              • Modifies system executable filetype association
                                              • Adds Run key to start application
                                              • Modifies Control Panel
                                              • Modifies Internet Explorer settings
                                              • Modifies Internet Explorer start page
                                              • Modifies registry class
                                              • System policy modification
                                              PID:948
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 316
                                                4⤵
                                                • Program crash
                                                PID:1284
                                                • C:\Windows\SysWOW64\Shell.exe
                                                  "C:\Windows\system32\Shell.exe"
                                                  5⤵
                                                    PID:2200
                                                  • C:\Windows\SysWOW64\Shell.exe
                                                    "C:\Windows\system32\Shell.exe"
                                                    5⤵
                                                    • Drops file in System32 directory
                                                    PID:2724
                                              • C:\Windows\SysWOW64\IExplorer.exe
                                                C:\Windows\system32\IExplorer.exe
                                                3⤵
                                                  PID:2720
                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                  3⤵
                                                    PID:268
                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                    3⤵
                                                      PID:1568
                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                      3⤵
                                                        PID:3068
                                                      • C:\Windows\Tiwi.exe
                                                        C:\Windows\Tiwi.exe
                                                        3⤵
                                                        • Modifies WinLogon for persistence
                                                        • Modifies visibility of file extensions in Explorer
                                                        • Modifies visiblity of hidden/system files in Explorer
                                                        • Disables RegEdit via registry modification
                                                        • Disables cmd.exe use via registry modification
                                                        • Modifies system executable filetype association
                                                        • Adds Run key to start application
                                                        • Enumerates connected drives
                                                        • Modifies WinLogon
                                                        • Drops file in System32 directory
                                                        • Drops file in Windows directory
                                                        • Modifies Control Panel
                                                        • Modifies Internet Explorer settings
                                                        • Modifies Internet Explorer start page
                                                        • Modifies registry class
                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                        • System policy modification
                                                        PID:2880
                                                        • C:\Windows\Tiwi.exe
                                                          C:\Windows\Tiwi.exe
                                                          4⤵
                                                            PID:2936
                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                            C:\Windows\system32\IExplorer.exe
                                                            4⤵
                                                            • Drops file in System32 directory
                                                            PID:2344
                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                            4⤵
                                                              PID:2932
                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                              4⤵
                                                                PID:1608
                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                4⤵
                                                                  PID:2704
                                                              • C:\Windows\SysWOW64\IExplorer.exe
                                                                C:\Windows\system32\IExplorer.exe
                                                                3⤵
                                                                • Modifies WinLogon for persistence
                                                                • Modifies visibility of file extensions in Explorer
                                                                • Modifies visiblity of hidden/system files in Explorer
                                                                • Disables RegEdit via registry modification
                                                                • Disables cmd.exe use via registry modification
                                                                • Modifies system executable filetype association
                                                                • Adds Run key to start application
                                                                • Enumerates connected drives
                                                                • Modifies WinLogon
                                                                • Drops file in System32 directory
                                                                • Drops file in Windows directory
                                                                • Modifies Control Panel
                                                                • Modifies Internet Explorer settings
                                                                • Modifies Internet Explorer start page
                                                                • Modifies registry class
                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                • System policy modification
                                                                PID:2332
                                                                • C:\Windows\Tiwi.exe
                                                                  C:\Windows\Tiwi.exe
                                                                  4⤵
                                                                    PID:2088
                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                    C:\Windows\system32\IExplorer.exe
                                                                    4⤵
                                                                    • Drops file in System32 directory
                                                                    PID:2820
                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                    4⤵
                                                                      PID:2680
                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                      4⤵
                                                                        PID:2760
                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                        4⤵
                                                                          PID:2452
                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                        3⤵
                                                                          PID:980
                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                          3⤵
                                                                            PID:1952
                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                            3⤵
                                                                              PID:2256
                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                            2⤵
                                                                            • Modifies WinLogon for persistence
                                                                            • Modifies visibility of file extensions in Explorer
                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                            • Disables RegEdit via registry modification
                                                                            • Disables cmd.exe use via registry modification
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Modifies system executable filetype association
                                                                            • Adds Run key to start application
                                                                            • Enumerates connected drives
                                                                            • Modifies WinLogon
                                                                            • Drops autorun.inf file
                                                                            • Drops file in System32 directory
                                                                            • Drops file in Windows directory
                                                                            • Modifies Control Panel
                                                                            • Modifies Internet Explorer settings
                                                                            • Modifies Internet Explorer start page
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            • Suspicious use of WriteProcessMemory
                                                                            • System policy modification
                                                                            PID:1464
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1100
                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                              C:\Windows\system32\IExplorer.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in Windows directory
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:3056
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2944
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1016
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1224
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2604
                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                              C:\Windows\system32\IExplorer.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in Windows directory
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2652
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2504
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2552
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2328
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2120
                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                              C:\Windows\system32\IExplorer.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1652
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2272
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2940
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1736
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1864
                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                              C:\Windows\system32\IExplorer.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2072
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1016
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2976
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2032
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                                PID:2296
                                                                              • C:\Windows\SysWOW64\IExplorer.exe
                                                                                C:\Windows\system32\IExplorer.exe
                                                                                3⤵
                                                                                  PID:2932
                                                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                  3⤵
                                                                                    PID:2952
                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                    3⤵
                                                                                      PID:2796
                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                      3⤵
                                                                                        PID:2632
                                                                                      • C:\Windows\Tiwi.exe
                                                                                        C:\Windows\Tiwi.exe
                                                                                        3⤵
                                                                                          PID:2960
                                                                                        • C:\Windows\SysWOW64\IExplorer.exe
                                                                                          C:\Windows\system32\IExplorer.exe
                                                                                          3⤵
                                                                                          • Drops file in Windows directory
                                                                                          PID:2328
                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                          3⤵
                                                                                            PID:2384
                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                            3⤵
                                                                                              PID:1068
                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                              3⤵
                                                                                                PID:948
                                                                                              • C:\Windows\Tiwi.exe
                                                                                                C:\Windows\Tiwi.exe
                                                                                                3⤵
                                                                                                  PID:1672
                                                                                                • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                  C:\Windows\system32\IExplorer.exe
                                                                                                  3⤵
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:1616
                                                                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                  3⤵
                                                                                                    PID:2776
                                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                    3⤵
                                                                                                      PID:2216
                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                      3⤵
                                                                                                        PID:2784
                                                                                                      • C:\Windows\Tiwi.exe
                                                                                                        C:\Windows\Tiwi.exe
                                                                                                        3⤵
                                                                                                          PID:2240
                                                                                                        • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                          C:\Windows\system32\IExplorer.exe
                                                                                                          3⤵
                                                                                                            PID:2464
                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                            3⤵
                                                                                                              PID:600
                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                              3⤵
                                                                                                                PID:1124
                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                3⤵
                                                                                                                  PID:1812
                                                                                                                • C:\Windows\Tiwi.exe
                                                                                                                  C:\Windows\Tiwi.exe
                                                                                                                  3⤵
                                                                                                                    PID:2948
                                                                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                    C:\Windows\system32\IExplorer.exe
                                                                                                                    3⤵
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • Drops file in Windows directory
                                                                                                                    PID:2800
                                                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                    3⤵
                                                                                                                      PID:2344
                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                      3⤵
                                                                                                                        PID:344
                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                        3⤵
                                                                                                                          PID:2300
                                                                                                                        • C:\Windows\Tiwi.exe
                                                                                                                          C:\Windows\Tiwi.exe
                                                                                                                          3⤵
                                                                                                                            PID:2552
                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                            3⤵
                                                                                                                            • Drops file in Windows directory
                                                                                                                            PID:2684
                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                            3⤵
                                                                                                                              PID:2960
                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                              3⤵
                                                                                                                                PID:2316
                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                3⤵
                                                                                                                                  PID:2080
                                                                                                                                • C:\Windows\Tiwi.exe
                                                                                                                                  C:\Windows\Tiwi.exe
                                                                                                                                  3⤵
                                                                                                                                    PID:2212
                                                                                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                    C:\Windows\system32\IExplorer.exe
                                                                                                                                    3⤵
                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                    • Disables RegEdit via registry modification
                                                                                                                                    • Disables cmd.exe use via registry modification
                                                                                                                                    • Modifies system executable filetype association
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • Modifies WinLogon
                                                                                                                                    • Modifies Control Panel
                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                    • Modifies Internet Explorer start page
                                                                                                                                    • Modifies registry class
                                                                                                                                    • System policy modification
                                                                                                                                    PID:2456
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 376
                                                                                                                                      4⤵
                                                                                                                                      • Program crash
                                                                                                                                      PID:2044
                                                                                                                                      • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                        "C:\Windows\system32\Shell.exe"
                                                                                                                                        5⤵
                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                                                                        • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                        • Disables RegEdit via registry modification
                                                                                                                                        • Disables cmd.exe use via registry modification
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        • Modifies WinLogon
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • Modifies Control Panel
                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                        • Modifies Internet Explorer start page
                                                                                                                                        • Modifies registry class
                                                                                                                                        • System policy modification
                                                                                                                                        PID:1256
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 396
                                                                                                                                          6⤵
                                                                                                                                          • Program crash
                                                                                                                                          PID:2404
                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                            7⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            PID:2268
                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                            7⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            PID:1644
                                                                                                                                      • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                        "C:\Windows\system32\Shell.exe"
                                                                                                                                        5⤵
                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                                                                        • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                        • Disables RegEdit via registry modification
                                                                                                                                        • Disables cmd.exe use via registry modification
                                                                                                                                        • Modifies system executable filetype association
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        • Modifies WinLogon
                                                                                                                                        • Drops file in Windows directory
                                                                                                                                        • Modifies Control Panel
                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                        • Modifies Internet Explorer start page
                                                                                                                                        • Modifies registry class
                                                                                                                                        • System policy modification
                                                                                                                                        PID:2656
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 388
                                                                                                                                          6⤵
                                                                                                                                          • Program crash
                                                                                                                                          PID:2384
                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                            7⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            PID:2000
                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                            7⤵
                                                                                                                                              PID:1908
                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                      3⤵
                                                                                                                                        PID:1460
                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                        3⤵
                                                                                                                                          PID:1652
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                          3⤵
                                                                                                                                            PID:2400
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                          • Disables RegEdit via registry modification
                                                                                                                                          • Disables cmd.exe use via registry modification
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          • Modifies WinLogon
                                                                                                                                          • Modifies Control Panel
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Modifies Internet Explorer start page
                                                                                                                                          • Modifies registry class
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                          • System policy modification
                                                                                                                                          PID:344
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 380
                                                                                                                                            3⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Program crash
                                                                                                                                            PID:2396
                                                                                                                                            • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                              "C:\Windows\system32\Shell.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:2400
                                                                                                                                            • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                              "C:\Windows\system32\Shell.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:1952
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2852
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2872
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                          • Disables RegEdit via registry modification
                                                                                                                                          • Disables cmd.exe use via registry modification
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Modifies system executable filetype association
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          • Modifies WinLogon
                                                                                                                                          • Modifies Control Panel
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Modifies Internet Explorer start page
                                                                                                                                          • Modifies registry class
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          • System policy modification
                                                                                                                                          PID:2384
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 372
                                                                                                                                            3⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Program crash
                                                                                                                                            PID:2584
                                                                                                                                            • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                              "C:\Windows\system32\Shell.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:2804
                                                                                                                                            • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                              "C:\Windows\system32\Shell.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:2520
                                                                                                                                        • C:\Windows\Tiwi.exe
                                                                                                                                          C:\Windows\Tiwi.exe
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2020
                                                                                                                                        • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                          C:\Windows\system32\IExplorer.exe
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2212
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:1868
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:1604
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                                                                          • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                          • Disables RegEdit via registry modification
                                                                                                                                          • Disables cmd.exe use via registry modification
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Modifies system executable filetype association
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          • Enumerates connected drives
                                                                                                                                          • Modifies WinLogon
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          • Modifies Control Panel
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Modifies Internet Explorer start page
                                                                                                                                          • Modifies registry class
                                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          • System policy modification
                                                                                                                                          PID:2408
                                                                                                                                          • C:\Windows\Tiwi.exe
                                                                                                                                            C:\Windows\Tiwi.exe
                                                                                                                                            3⤵
                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                            • Disables RegEdit via registry modification
                                                                                                                                            • Disables cmd.exe use via registry modification
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Modifies system executable filetype association
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            • Modifies WinLogon
                                                                                                                                            • Modifies Control Panel
                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                            • Modifies Internet Explorer start page
                                                                                                                                            • Modifies registry class
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            • System policy modification
                                                                                                                                            PID:1544
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 372
                                                                                                                                              4⤵
                                                                                                                                              • Program crash
                                                                                                                                              PID:700
                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                PID:2404
                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:2708
                                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:976
                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:1792
                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:3008
                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:2064
                                                                                                                                          • C:\Windows\Tiwi.exe
                                                                                                                                            C:\Windows\Tiwi.exe
                                                                                                                                            3⤵
                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                            • Disables RegEdit via registry modification
                                                                                                                                            • Disables cmd.exe use via registry modification
                                                                                                                                            • Modifies system executable filetype association
                                                                                                                                            • Modifies WinLogon
                                                                                                                                            • Modifies Control Panel
                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                            • Modifies Internet Explorer start page
                                                                                                                                            • Modifies registry class
                                                                                                                                            • System policy modification
                                                                                                                                            PID:2444
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 372
                                                                                                                                              4⤵
                                                                                                                                              • Program crash
                                                                                                                                              PID:1856
                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:1276
                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:1872
                                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                                            3⤵
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            PID:2660
                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                            3⤵
                                                                                                                                              PID:2440
                                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                              3⤵
                                                                                                                                                PID:2000
                                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                3⤵
                                                                                                                                                  PID:1980
                                                                                                                                                • C:\Windows\Tiwi.exe
                                                                                                                                                  C:\Windows\Tiwi.exe
                                                                                                                                                  3⤵
                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                                                  • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                                  • Disables RegEdit via registry modification
                                                                                                                                                  • Disables cmd.exe use via registry modification
                                                                                                                                                  • Modifies system executable filetype association
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  • Modifies WinLogon
                                                                                                                                                  • Modifies Control Panel
                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                  • Modifies Internet Explorer start page
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  • System policy modification
                                                                                                                                                  PID:2260
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 380
                                                                                                                                                    4⤵
                                                                                                                                                    • Program crash
                                                                                                                                                    PID:2416
                                                                                                                                                    • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                      "C:\Windows\system32\Shell.exe"
                                                                                                                                                      5⤵
                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                                                                                      • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                                      • Disables RegEdit via registry modification
                                                                                                                                                      • Disables cmd.exe use via registry modification
                                                                                                                                                      • Modifies system executable filetype association
                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                      • Modifies WinLogon
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      • Modifies Control Panel
                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                      • Modifies Internet Explorer start page
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      • System policy modification
                                                                                                                                                      PID:976
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 396
                                                                                                                                                        6⤵
                                                                                                                                                        • Program crash
                                                                                                                                                        PID:1924
                                                                                                                                                        • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                          "C:\Windows\system32\Shell.exe"
                                                                                                                                                          7⤵
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                          PID:1964
                                                                                                                                                        • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                          "C:\Windows\system32\Shell.exe"
                                                                                                                                                          7⤵
                                                                                                                                                            PID:1116
                                                                                                                                                      • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                        "C:\Windows\system32\Shell.exe"
                                                                                                                                                        5⤵
                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                                                                                        • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                                        • Disables RegEdit via registry modification
                                                                                                                                                        • Disables cmd.exe use via registry modification
                                                                                                                                                        • Modifies system executable filetype association
                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                        • Modifies WinLogon
                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                        • Modifies Internet Explorer start page
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        • System policy modification
                                                                                                                                                        PID:2644
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 408
                                                                                                                                                          6⤵
                                                                                                                                                          • Program crash
                                                                                                                                                          PID:1236
                                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                                            7⤵
                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                            PID:668
                                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                                            7⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                            PID:2864
                                                                                                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                    C:\Windows\system32\IExplorer.exe
                                                                                                                                                    3⤵
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                    PID:2788
                                                                                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1296
                                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2816
                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:3032
                                                                                                                                                        • C:\Windows\Tiwi.exe
                                                                                                                                                          C:\Windows\Tiwi.exe
                                                                                                                                                          3⤵
                                                                                                                                                            PID:892
                                                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                                                            3⤵
                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                            • Disables RegEdit via registry modification
                                                                                                                                                            • Disables cmd.exe use via registry modification
                                                                                                                                                            • Modifies system executable filetype association
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            • Modifies WinLogon
                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                            • Modifies Control Panel
                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                            • Modifies Internet Explorer start page
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            • System policy modification
                                                                                                                                                            PID:1016
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 372
                                                                                                                                                              4⤵
                                                                                                                                                              • Program crash
                                                                                                                                                              PID:2232
                                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                                5⤵
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                PID:2692
                                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                                5⤵
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                PID:2436
                                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                            3⤵
                                                                                                                                                              PID:1920
                                                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                              3⤵
                                                                                                                                                                PID:1900
                                                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:2564
                                                                                                                                                                • C:\Windows\Tiwi.exe
                                                                                                                                                                  C:\Windows\Tiwi.exe
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:2772
                                                                                                                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                    C:\Windows\system32\IExplorer.exe
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    PID:2720
                                                                                                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:2108
                                                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:484
                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:2176
                                                                                                                                                                        • C:\Windows\Tiwi.exe
                                                                                                                                                                          C:\Windows\Tiwi.exe
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:1164
                                                                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:1964
                                                                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:1732
                                                                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:2968
                                                                                                                                                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:1720
                                                                                                                                                                                  • C:\Windows\Tiwi.exe
                                                                                                                                                                                    C:\Windows\Tiwi.exe
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:2804
                                                                                                                                                                                    • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                                      C:\Windows\system32\IExplorer.exe
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                      PID:2544
                                                                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:2604
                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:772
                                                                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:2904
                                                                                                                                                                                          • C:\Windows\Tiwi.exe
                                                                                                                                                                                            C:\Windows\Tiwi.exe
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:1572
                                                                                                                                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                                              C:\Windows\system32\IExplorer.exe
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                              PID:2096
                                                                                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:2160
                                                                                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:2784
                                                                                                                                                                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:2772
                                                                                                                                                                                                  • C:\Windows\Tiwi.exe
                                                                                                                                                                                                    C:\Windows\Tiwi.exe
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:3056
                                                                                                                                                                                                    • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                                                      C:\Windows\system32\IExplorer.exe
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      PID:1696
                                                                                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:1084
                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1964
                                                                                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:1364

                                                                                                                                                                                                      Network

                                                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        45KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        55a706d7a466bcd86df2ad63ada72fbe

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        bdedc34a925890899501a331bff2fae343fedf8f

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        97aaa7e192a3f439b7a7d92de64c4e2b7d35d318b8fd05ffd776c316bd10a415

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        ee3f69fc1fc93300a01a88c1f45ecb59174d72b5dc11d7bd17a06e67357a2d8baba41f88bbb5eb18b4f134e314edcda35be3c01f57692e44ca4fa9eca57f7d6e

                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        aa69191cb4f92cad489cd889004fa9b8

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        e75463d030a0515d9bd1f06e20f7ab9dfa33b894

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        e2741f64cb8b53fa8f289c2d9d620bb84f7653737b9f6d3c748741ee44e9bb87

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        84d9d124e7c24d7d965476a11e2cd11eddd42f686541d8d8b7c2f26005f06dad1289e12bf9ea75e50ca4f29e39cf8ef32ec0860710e4e674de351d50901fecfa

                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        d9330ff2d2897a49a5f211b48ecf81a0

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        0d613128a90323fa0b7382f133bf3be6ad5b7969

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        73b47bf2bafbbe72876e5169bd055672d86b613b3281e856354d3c99757ff515

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        94f45c648baee8eb06da9a5183a632580c9f5108dae8c037e260d393aae128dca1cbacd67f3a3c139664d6d06fd16add09ec6f9ae45dad9fcdd8a7c80878133b

                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        45KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        659a4d5bab8f07fc941d96adb4e5aa45

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        4d5d1a612e05ffedbd14ecfeb5c160d52778972f

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        d3170cb5cb0db3a05229f49fa560ecb368081e31b9a27f7e15aff7f65972a191

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        15e1a9310825c7551a063c1a718058ab541ad253009d6526ea840bafa904a371455d8cee31174d9310c1bc86551d8f2e222aed6717cf2fa4620b214803a2f9e9

                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        3b6a400aa725fdb60e58b1df7ace9fd4

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        c24fc15a6e736f24cf402c6a2f899f78cfa22196

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        16748030ecaacc44f345066feb545c9e73b9e3c0c71735ecf3d67f0de738c4ba

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        5e1463f3a3b7c04410c0ee68837298c20f0f36d762d25ffc92bb910641597fb8b352e555c516b9f210fc58fbe94e262e16421bd5996cc63834f9a19cb8881289

                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        056b173fa9ff84e06fef62a4ad9b73d6

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        f8d81e1aefb34ba4b18a4a193063dd12d0fafd4c

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        3a5cbd8a04b3085328507e7d930dd82ba57c5c62145d94ed749a4c80e47b9a8d

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        51732668acdaeba5077cd7122960c254f85d12078ec49a8501a9b354370d5fe1574c5e1b47f7905243106aa7ff5ff68c00f62a7155de82e5eece48c41e7aa890

                                                                                                                                                                                                      • C:\Windows\msvbvm60.dll

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        5343a19c618bc515ceb1695586c6c137

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        4dedae8cbde066f31c8e6b52c0baa3f8b1117742

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

                                                                                                                                                                                                      • C:\Windows\tiwi.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        b865f38ee602d4bea7f49e50927e3f27

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        fea877d1f07eda4c2fb7d0d9d8ad8adfdbd13582

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        4048cce7679d3c64a6b55cd40e8392f967ad2078697e9c4b080a52a01e166d5a

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        71a848f6bc6365365703371d8154c883355617232a9a9eb405ef9a95bd4ad6bdcf15b69668a856b76e892dd9cb36637452fc1c175c0993c847cfe5142feaf276

                                                                                                                                                                                                      • C:\present.txt

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        729B

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        8e3c734e8dd87d639fb51500d42694b5

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

                                                                                                                                                                                                      • C:\present.txt

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        512B

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        ed5c022f6901de82f05443f0c07b6429

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        227bd0df415110e288e2ac87fed05a8583930be6

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        26019fdf40f8bb69e8c4af78486ac41df6d3874dc1fcf6f7d26a35bf500cb59a

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        ed1c5d6f99c5d00537503ab4c84394a732e3dc6f22d0614075cac3d420d1ea23c45b22873efbd221ad6539a15930df88a383f64a5f6d5953bc533869a807659b

                                                                                                                                                                                                      • C:\tiwi.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        852db07229417671de463a1159058cb5

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        a4c02a75a8cdf4c8a6c3685bfdfea6ba64e4a4f6

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        48a50ba696262fab3f7409ab5bd03f9c490bbebb1d5b643f9a7017b216b5f7fc

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        eead9868dc28c8113b6d04f5416b4a11f4180cde89d0088d9efe80763fcd24fd1e6b8c4fd54e2a91901c266884ace354ae30a104b2a867b82ec1a86197f4d9c1

                                                                                                                                                                                                      • C:\tiwi.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        eb2c03dc9d3e0820e2d7b8976d7242b7

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        02e5d38f76702f7b8623bcb1fba69f65fbe9cbcd

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        7bb7ab0031cf35e445e522d6889f458441cb2132497a253ef81503fbca06cf09

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        dc20d9d37afaaf5fec19a67f40ea566669344df6ee01c092c523bdf943b3cb931e7bf0d65f1da2b3a8b0bdcac2488bafd4b71c0ac5a4ba382ae076332b83dbe9

                                                                                                                                                                                                      • F:\autorun.inf

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        39B

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        415c421ba7ae46e77bdee3a681ecc156

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        b0db5782b7688716d6fc83f7e650ffe1143201b7

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

                                                                                                                                                                                                      • \Users\Admin\AppData\Local\WINDOWS\cute.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        9eef7423ec718c992ae29b9c51839311

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        c9abdf9b72dad26600d50a59b8e8166f9d46b3f7

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        becd1a11a7d05885890cb7159a12ebba575a989f74b34c339e9f0178c70ab29a

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        d250194bcea68dd37e3027fd3ae2a12eba0582fedc51c0698031380a3ccf06f18ed75b0ff316ec1d6ef021a03e2bd3550a072b2a733b7baf1e291801485dff1a

                                                                                                                                                                                                      • \Users\Admin\AppData\Local\WINDOWS\imoet.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        b9d3fd23c01b931604cadf662c947f6b

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        9b69777e6d29202710cf0bf11936af0ded0132c2

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        929b781556e60891e8bcc14a388c20902c42aebb0a7104be04bd5eb647b1001e

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        18205e13dfd268189a235cf9cf4c066456012a75bcce81041550c3774c86413a990d092aa3b2a41b586ea37174519f421526e69a8555b43146b5e2b5b592c9c7

                                                                                                                                                                                                      • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        7cb686d2210f20a01c6528cc1941aeda

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        e4a5639cbe500280abd20980b834a595343b82f9

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        d8d902df175782140a2fefa9832f697deaa9f6ab3ace7ff8aeb8000c516ca55d

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        0d69521f81ecb10c1bfe6c03e0ee61d456897b067bbd70bbca1964af78fab83245ce57ee2f2d05856765a0ed92b567f5fd08efd46064756deb7a50c67d2ecc3d

                                                                                                                                                                                                      • \Windows\SysWOW64\IExplorer.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        200c2fc562b34c506d94a4deb133bf1c

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        9c417dad454522da2753ba950c2b9bbceb89d824

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        f51a921aa7b6c8a4f3905343af4d768a1b00393a6d5d443d02e49e0d64a955c6

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        2e77456f7cb9f7af852e0977e2b1b89e75d91148650f1167522707df14d0da6d4d838b6f1521c9506f9d191ecacb7ea57a2c07cbfa891ae3c71a5f4ceaab3092

                                                                                                                                                                                                      • \Windows\SysWOW64\shell.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        497bf1a720222fbf71f98aa6243f90ff

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        d8b437e51abf3a254dc19253139ff0cc2222d361

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        6cc64e6543feb7ab3c892c62915de87395ed77354b5d71bdaa4146a08e9f5742

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        9e06255655f0255ae82f14ff302e2a7a169ffe6cc292472d3811078b845f41c6a787295db9c150df8d9baad8aa7e33dc09965312b66567a861d6142d9c408b4e

                                                                                                                                                                                                      • memory/272-275-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/344-220-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/596-200-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/1100-274-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/1464-210-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/1544-490-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/1576-0-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/1668-421-0x0000000000220000-0x0000000000230000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        64KB

                                                                                                                                                                                                      • memory/1756-428-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2020-393-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2120-458-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2200-141-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/2256-183-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2408-404-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/2464-98-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/2604-356-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2612-430-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/2952-104-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB