Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28/04/2024, 14:40 UTC

General

  • Target

    056b173fa9ff84e06fef62a4ad9b73d6_JaffaCakes118.exe

  • Size

    196KB

  • MD5

    056b173fa9ff84e06fef62a4ad9b73d6

  • SHA1

    f8d81e1aefb34ba4b18a4a193063dd12d0fafd4c

  • SHA256

    3a5cbd8a04b3085328507e7d930dd82ba57c5c62145d94ed749a4c80e47b9a8d

  • SHA512

    51732668acdaeba5077cd7122960c254f85d12078ec49a8501a9b354370d5fe1574c5e1b47f7905243106aa7ff5ff68c00f62a7155de82e5eece48c41e7aa890

  • SSDEEP

    3072:ZGBT753Q+RgWgMlIx1ZiXjb6aEF6D0NM9voeLNZ3mEld:Y753RgWg4aAXjb6aEFfooeLNZB

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 52 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 19 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 19 IoCs
  • Disables RegEdit via registry modification 26 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 26 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 64 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 20 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 26 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\056b173fa9ff84e06fef62a4ad9b73d6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\056b173fa9ff84e06fef62a4ad9b73d6_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1576
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies WinLogon
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 372
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2884
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Disables RegEdit via registry modification
          • Disables cmd.exe use via registry modification
          • Executes dropped EXE
          • Modifies system executable filetype association
          • Adds Run key to start application
          • Modifies WinLogon
          • Drops file in System32 directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2952
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 392
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:1932
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious use of SetWindowsHookEx
              PID:1912
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious use of SetWindowsHookEx
              PID:948
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Disables RegEdit via registry modification
          • Disables cmd.exe use via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies WinLogon
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:2744
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 400
            5⤵
            • Program crash
            PID:2176
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetWindowsHookEx
              PID:1668
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2720
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 376
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2536
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2648
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2964
    • C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2256
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2388
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:596
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:272
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2412
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1740
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2300
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1756
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2612
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 320
          4⤵
          • Program crash
          PID:568
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Executes dropped EXE
            • Modifies system executable filetype association
            • Adds Run key to start application
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:3060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 392
              6⤵
              • Program crash
              PID:2592
              • C:\Windows\SysWOW64\Shell.exe
                "C:\Windows\system32\Shell.exe"
                7⤵
                • Drops file in System32 directory
                • Drops file in Windows directory
                PID:2228
              • C:\Windows\SysWOW64\Shell.exe
                "C:\Windows\system32\Shell.exe"
                7⤵
                • Drops file in System32 directory
                PID:2804
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • Disables RegEdit via registry modification
            • Disables cmd.exe use via registry modification
            • Modifies system executable filetype association
            • Adds Run key to start application
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • System policy modification
            PID:1184
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 392
              6⤵
              • Program crash
              PID:2140
              • C:\Windows\SysWOW64\Shell.exe
                "C:\Windows\system32\Shell.exe"
                7⤵
                • Drops file in System32 directory
                PID:704
              • C:\Windows\SysWOW64\Shell.exe
                "C:\Windows\system32\Shell.exe"
                7⤵
                • Drops file in Windows directory
                PID:840
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2108
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:536
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2260
      • C:\Windows\Tiwi.exe
        C:\Windows\Tiwi.exe
        3⤵
          PID:2908
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          3⤵
          • Drops file in Windows directory
          PID:2840
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
          3⤵
            PID:2928
          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
            3⤵
              PID:1544
            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
              3⤵
                PID:2616
              • C:\Windows\Tiwi.exe
                C:\Windows\Tiwi.exe
                3⤵
                  PID:1872
                • C:\Windows\SysWOW64\IExplorer.exe
                  C:\Windows\system32\IExplorer.exe
                  3⤵
                  • Drops file in System32 directory
                  PID:1568
                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                  3⤵
                    PID:1752
                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                    3⤵
                      PID:2756
                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                      3⤵
                        PID:1404
                      • C:\Windows\Tiwi.exe
                        C:\Windows\Tiwi.exe
                        3⤵
                          PID:2884
                        • C:\Windows\SysWOW64\IExplorer.exe
                          C:\Windows\system32\IExplorer.exe
                          3⤵
                          • Drops file in System32 directory
                          • Drops file in Windows directory
                          PID:340
                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                          3⤵
                            PID:2748
                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                            3⤵
                              PID:1128
                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                              3⤵
                                PID:2140
                              • C:\Windows\Tiwi.exe
                                C:\Windows\Tiwi.exe
                                3⤵
                                  PID:1928
                                • C:\Windows\SysWOW64\IExplorer.exe
                                  C:\Windows\system32\IExplorer.exe
                                  3⤵
                                  • Drops file in System32 directory
                                  • Drops file in Windows directory
                                  PID:1696
                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                  3⤵
                                    PID:2252
                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                    3⤵
                                      PID:1864
                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                      3⤵
                                        PID:2072
                                      • C:\Windows\Tiwi.exe
                                        C:\Windows\Tiwi.exe
                                        3⤵
                                        • Modifies WinLogon for persistence
                                        • Disables RegEdit via registry modification
                                        • Disables cmd.exe use via registry modification
                                        • Adds Run key to start application
                                        • Modifies WinLogon
                                        • Modifies Control Panel
                                        • Modifies Internet Explorer settings
                                        • Modifies Internet Explorer start page
                                        • Modifies registry class
                                        • System policy modification
                                        PID:1132
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 376
                                          4⤵
                                          • Program crash
                                          PID:1104
                                          • C:\Windows\SysWOW64\Shell.exe
                                            "C:\Windows\system32\Shell.exe"
                                            5⤵
                                            • Drops file in System32 directory
                                            • Drops file in Windows directory
                                            PID:2796
                                          • C:\Windows\SysWOW64\Shell.exe
                                            "C:\Windows\system32\Shell.exe"
                                            5⤵
                                            • Drops file in System32 directory
                                            • Drops file in Windows directory
                                            PID:1816
                                      • C:\Windows\SysWOW64\IExplorer.exe
                                        C:\Windows\system32\IExplorer.exe
                                        3⤵
                                        • Drops file in Windows directory
                                        PID:1896
                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                        3⤵
                                          PID:2584
                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                          3⤵
                                            PID:952
                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                            3⤵
                                              PID:1972
                                            • C:\Windows\Tiwi.exe
                                              C:\Windows\Tiwi.exe
                                              3⤵
                                              • Modifies WinLogon for persistence
                                              • Disables RegEdit via registry modification
                                              • Disables cmd.exe use via registry modification
                                              • Modifies system executable filetype association
                                              • Adds Run key to start application
                                              • Modifies Control Panel
                                              • Modifies Internet Explorer settings
                                              • Modifies Internet Explorer start page
                                              • Modifies registry class
                                              • System policy modification
                                              PID:948
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 316
                                                4⤵
                                                • Program crash
                                                PID:1284
                                                • C:\Windows\SysWOW64\Shell.exe
                                                  "C:\Windows\system32\Shell.exe"
                                                  5⤵
                                                    PID:2200
                                                  • C:\Windows\SysWOW64\Shell.exe
                                                    "C:\Windows\system32\Shell.exe"
                                                    5⤵
                                                    • Drops file in System32 directory
                                                    PID:2724
                                              • C:\Windows\SysWOW64\IExplorer.exe
                                                C:\Windows\system32\IExplorer.exe
                                                3⤵
                                                  PID:2720
                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                  3⤵
                                                    PID:268
                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                    3⤵
                                                      PID:1568
                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                      3⤵
                                                        PID:3068
                                                      • C:\Windows\Tiwi.exe
                                                        C:\Windows\Tiwi.exe
                                                        3⤵
                                                        • Modifies WinLogon for persistence
                                                        • Modifies visibility of file extensions in Explorer
                                                        • Modifies visiblity of hidden/system files in Explorer
                                                        • Disables RegEdit via registry modification
                                                        • Disables cmd.exe use via registry modification
                                                        • Modifies system executable filetype association
                                                        • Adds Run key to start application
                                                        • Enumerates connected drives
                                                        • Modifies WinLogon
                                                        • Drops file in System32 directory
                                                        • Drops file in Windows directory
                                                        • Modifies Control Panel
                                                        • Modifies Internet Explorer settings
                                                        • Modifies Internet Explorer start page
                                                        • Modifies registry class
                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                        • System policy modification
                                                        PID:2880
                                                        • C:\Windows\Tiwi.exe
                                                          C:\Windows\Tiwi.exe
                                                          4⤵
                                                            PID:2936
                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                            C:\Windows\system32\IExplorer.exe
                                                            4⤵
                                                            • Drops file in System32 directory
                                                            PID:2344
                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                            4⤵
                                                              PID:2932
                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                              4⤵
                                                                PID:1608
                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                4⤵
                                                                  PID:2704
                                                              • C:\Windows\SysWOW64\IExplorer.exe
                                                                C:\Windows\system32\IExplorer.exe
                                                                3⤵
                                                                • Modifies WinLogon for persistence
                                                                • Modifies visibility of file extensions in Explorer
                                                                • Modifies visiblity of hidden/system files in Explorer
                                                                • Disables RegEdit via registry modification
                                                                • Disables cmd.exe use via registry modification
                                                                • Modifies system executable filetype association
                                                                • Adds Run key to start application
                                                                • Enumerates connected drives
                                                                • Modifies WinLogon
                                                                • Drops file in System32 directory
                                                                • Drops file in Windows directory
                                                                • Modifies Control Panel
                                                                • Modifies Internet Explorer settings
                                                                • Modifies Internet Explorer start page
                                                                • Modifies registry class
                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                • System policy modification
                                                                PID:2332
                                                                • C:\Windows\Tiwi.exe
                                                                  C:\Windows\Tiwi.exe
                                                                  4⤵
                                                                    PID:2088
                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                    C:\Windows\system32\IExplorer.exe
                                                                    4⤵
                                                                    • Drops file in System32 directory
                                                                    PID:2820
                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                    4⤵
                                                                      PID:2680
                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                      4⤵
                                                                        PID:2760
                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                        4⤵
                                                                          PID:2452
                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                        3⤵
                                                                          PID:980
                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                          3⤵
                                                                            PID:1952
                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                            3⤵
                                                                              PID:2256
                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                            2⤵
                                                                            • Modifies WinLogon for persistence
                                                                            • Modifies visibility of file extensions in Explorer
                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                            • Disables RegEdit via registry modification
                                                                            • Disables cmd.exe use via registry modification
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Modifies system executable filetype association
                                                                            • Adds Run key to start application
                                                                            • Enumerates connected drives
                                                                            • Modifies WinLogon
                                                                            • Drops autorun.inf file
                                                                            • Drops file in System32 directory
                                                                            • Drops file in Windows directory
                                                                            • Modifies Control Panel
                                                                            • Modifies Internet Explorer settings
                                                                            • Modifies Internet Explorer start page
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            • Suspicious use of WriteProcessMemory
                                                                            • System policy modification
                                                                            PID:1464
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1100
                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                              C:\Windows\system32\IExplorer.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in Windows directory
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:3056
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2944
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1016
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1224
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2604
                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                              C:\Windows\system32\IExplorer.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in Windows directory
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2652
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2504
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2552
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2328
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2120
                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                              C:\Windows\system32\IExplorer.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1652
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2272
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2940
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1736
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1864
                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                              C:\Windows\system32\IExplorer.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2072
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1016
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2976
                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2032
                                                                            • C:\Windows\Tiwi.exe
                                                                              C:\Windows\Tiwi.exe
                                                                              3⤵
                                                                                PID:2296
                                                                              • C:\Windows\SysWOW64\IExplorer.exe
                                                                                C:\Windows\system32\IExplorer.exe
                                                                                3⤵
                                                                                  PID:2932
                                                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                  3⤵
                                                                                    PID:2952
                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                    3⤵
                                                                                      PID:2796
                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                      3⤵
                                                                                        PID:2632
                                                                                      • C:\Windows\Tiwi.exe
                                                                                        C:\Windows\Tiwi.exe
                                                                                        3⤵
                                                                                          PID:2960
                                                                                        • C:\Windows\SysWOW64\IExplorer.exe
                                                                                          C:\Windows\system32\IExplorer.exe
                                                                                          3⤵
                                                                                          • Drops file in Windows directory
                                                                                          PID:2328
                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                          3⤵
                                                                                            PID:2384
                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                            3⤵
                                                                                              PID:1068
                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                              3⤵
                                                                                                PID:948
                                                                                              • C:\Windows\Tiwi.exe
                                                                                                C:\Windows\Tiwi.exe
                                                                                                3⤵
                                                                                                  PID:1672
                                                                                                • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                  C:\Windows\system32\IExplorer.exe
                                                                                                  3⤵
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:1616
                                                                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                  3⤵
                                                                                                    PID:2776
                                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                    3⤵
                                                                                                      PID:2216
                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                      3⤵
                                                                                                        PID:2784
                                                                                                      • C:\Windows\Tiwi.exe
                                                                                                        C:\Windows\Tiwi.exe
                                                                                                        3⤵
                                                                                                          PID:2240
                                                                                                        • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                          C:\Windows\system32\IExplorer.exe
                                                                                                          3⤵
                                                                                                            PID:2464
                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                            3⤵
                                                                                                              PID:600
                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                              3⤵
                                                                                                                PID:1124
                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                3⤵
                                                                                                                  PID:1812
                                                                                                                • C:\Windows\Tiwi.exe
                                                                                                                  C:\Windows\Tiwi.exe
                                                                                                                  3⤵
                                                                                                                    PID:2948
                                                                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                    C:\Windows\system32\IExplorer.exe
                                                                                                                    3⤵
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • Drops file in Windows directory
                                                                                                                    PID:2800
                                                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                    3⤵
                                                                                                                      PID:2344
                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                      3⤵
                                                                                                                        PID:344
                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                        3⤵
                                                                                                                          PID:2300
                                                                                                                        • C:\Windows\Tiwi.exe
                                                                                                                          C:\Windows\Tiwi.exe
                                                                                                                          3⤵
                                                                                                                            PID:2552
                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                            3⤵
                                                                                                                            • Drops file in Windows directory
                                                                                                                            PID:2684
                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                            3⤵
                                                                                                                              PID:2960
                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                              3⤵
                                                                                                                                PID:2316
                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                3⤵
                                                                                                                                  PID:2080
                                                                                                                                • C:\Windows\Tiwi.exe
                                                                                                                                  C:\Windows\Tiwi.exe
                                                                                                                                  3⤵
                                                                                                                                    PID:2212
                                                                                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                    C:\Windows\system32\IExplorer.exe
                                                                                                                                    3⤵
                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                    • Disables RegEdit via registry modification
                                                                                                                                    • Disables cmd.exe use via registry modification
                                                                                                                                    • Modifies system executable filetype association
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • Modifies WinLogon
                                                                                                                                    • Modifies Control Panel
                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                    • Modifies Internet Explorer start page
                                                                                                                                    • Modifies registry class
                                                                                                                                    • System policy modification
                                                                                                                                    PID:2456
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 376
                                                                                                                                      4⤵
                                                                                                                                      • Program crash
                                                                                                                                      PID:2044
                                                                                                                                      • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                        "C:\Windows\system32\Shell.exe"
                                                                                                                                        5⤵
                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                                                                        • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                        • Disables RegEdit via registry modification
                                                                                                                                        • Disables cmd.exe use via registry modification
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        • Modifies WinLogon
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • Modifies Control Panel
                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                        • Modifies Internet Explorer start page
                                                                                                                                        • Modifies registry class
                                                                                                                                        • System policy modification
                                                                                                                                        PID:1256
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 396
                                                                                                                                          6⤵
                                                                                                                                          • Program crash
                                                                                                                                          PID:2404
                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                            7⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            PID:2268
                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                            7⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            PID:1644
                                                                                                                                      • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                        "C:\Windows\system32\Shell.exe"
                                                                                                                                        5⤵
                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                                                                        • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                        • Disables RegEdit via registry modification
                                                                                                                                        • Disables cmd.exe use via registry modification
                                                                                                                                        • Modifies system executable filetype association
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        • Modifies WinLogon
                                                                                                                                        • Drops file in Windows directory
                                                                                                                                        • Modifies Control Panel
                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                        • Modifies Internet Explorer start page
                                                                                                                                        • Modifies registry class
                                                                                                                                        • System policy modification
                                                                                                                                        PID:2656
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 388
                                                                                                                                          6⤵
                                                                                                                                          • Program crash
                                                                                                                                          PID:2384
                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                            7⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            PID:2000
                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                            7⤵
                                                                                                                                              PID:1908
                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                      3⤵
                                                                                                                                        PID:1460
                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                        3⤵
                                                                                                                                          PID:1652
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                          3⤵
                                                                                                                                            PID:2400
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                          • Disables RegEdit via registry modification
                                                                                                                                          • Disables cmd.exe use via registry modification
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          • Modifies WinLogon
                                                                                                                                          • Modifies Control Panel
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Modifies Internet Explorer start page
                                                                                                                                          • Modifies registry class
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                          • System policy modification
                                                                                                                                          PID:344
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 380
                                                                                                                                            3⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Program crash
                                                                                                                                            PID:2396
                                                                                                                                            • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                              "C:\Windows\system32\Shell.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:2400
                                                                                                                                            • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                              "C:\Windows\system32\Shell.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:1952
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2852
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2872
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                          • Disables RegEdit via registry modification
                                                                                                                                          • Disables cmd.exe use via registry modification
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Modifies system executable filetype association
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          • Modifies WinLogon
                                                                                                                                          • Modifies Control Panel
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Modifies Internet Explorer start page
                                                                                                                                          • Modifies registry class
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          • System policy modification
                                                                                                                                          PID:2384
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 372
                                                                                                                                            3⤵
                                                                                                                                            • Loads dropped DLL
                                                                                                                                            • Program crash
                                                                                                                                            PID:2584
                                                                                                                                            • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                              "C:\Windows\system32\Shell.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:2804
                                                                                                                                            • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                              "C:\Windows\system32\Shell.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:2520
                                                                                                                                        • C:\Windows\Tiwi.exe
                                                                                                                                          C:\Windows\Tiwi.exe
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2020
                                                                                                                                        • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                          C:\Windows\system32\IExplorer.exe
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:2212
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:1868
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:1604
                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                          2⤵
                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                          • Modifies visibility of file extensions in Explorer
                                                                                                                                          • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                          • Disables RegEdit via registry modification
                                                                                                                                          • Disables cmd.exe use via registry modification
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Modifies system executable filetype association
                                                                                                                                          • Adds Run key to start application
                                                                                                                                          • Enumerates connected drives
                                                                                                                                          • Modifies WinLogon
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          • Modifies Control Panel
                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                          • Modifies Internet Explorer start page
                                                                                                                                          • Modifies registry class
                                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          • System policy modification
                                                                                                                                          PID:2408
                                                                                                                                          • C:\Windows\Tiwi.exe
                                                                                                                                            C:\Windows\Tiwi.exe
                                                                                                                                            3⤵
                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                            • Disables RegEdit via registry modification
                                                                                                                                            • Disables cmd.exe use via registry modification
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Modifies system executable filetype association
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            • Modifies WinLogon
                                                                                                                                            • Modifies Control Panel
                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                            • Modifies Internet Explorer start page
                                                                                                                                            • Modifies registry class
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            • System policy modification
                                                                                                                                            PID:1544
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 372
                                                                                                                                              4⤵
                                                                                                                                              • Program crash
                                                                                                                                              PID:700
                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                PID:2404
                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:2708
                                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:976
                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:1792
                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:3008
                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                            3⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:2064
                                                                                                                                          • C:\Windows\Tiwi.exe
                                                                                                                                            C:\Windows\Tiwi.exe
                                                                                                                                            3⤵
                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                            • Disables RegEdit via registry modification
                                                                                                                                            • Disables cmd.exe use via registry modification
                                                                                                                                            • Modifies system executable filetype association
                                                                                                                                            • Modifies WinLogon
                                                                                                                                            • Modifies Control Panel
                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                            • Modifies Internet Explorer start page
                                                                                                                                            • Modifies registry class
                                                                                                                                            • System policy modification
                                                                                                                                            PID:2444
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 372
                                                                                                                                              4⤵
                                                                                                                                              • Program crash
                                                                                                                                              PID:1856
                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:1276
                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:1872
                                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                                            3⤵
                                                                                                                                            • Drops file in Windows directory
                                                                                                                                            PID:2660
                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                            3⤵
                                                                                                                                              PID:2440
                                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                              3⤵
                                                                                                                                                PID:2000
                                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                3⤵
                                                                                                                                                  PID:1980
                                                                                                                                                • C:\Windows\Tiwi.exe
                                                                                                                                                  C:\Windows\Tiwi.exe
                                                                                                                                                  3⤵
                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                  • Modifies visibility of file extensions in Explorer
                                                                                                                                                  • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                                  • Disables RegEdit via registry modification
                                                                                                                                                  • Disables cmd.exe use via registry modification
                                                                                                                                                  • Modifies system executable filetype association
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  • Modifies WinLogon
                                                                                                                                                  • Modifies Control Panel
                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                  • Modifies Internet Explorer start page
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  • System policy modification
                                                                                                                                                  PID:2260
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 380
                                                                                                                                                    4⤵
                                                                                                                                                    • Program crash
                                                                                                                                                    PID:2416
                                                                                                                                                    • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                      "C:\Windows\system32\Shell.exe"
                                                                                                                                                      5⤵
                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                      • Modifies visibility of file extensions in Explorer
                                                                                                                                                      • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                                      • Disables RegEdit via registry modification
                                                                                                                                                      • Disables cmd.exe use via registry modification
                                                                                                                                                      • Modifies system executable filetype association
                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                      • Modifies WinLogon
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      • Modifies Control Panel
                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                      • Modifies Internet Explorer start page
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      • System policy modification
                                                                                                                                                      PID:976
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 396
                                                                                                                                                        6⤵
                                                                                                                                                        • Program crash
                                                                                                                                                        PID:1924
                                                                                                                                                        • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                          "C:\Windows\system32\Shell.exe"
                                                                                                                                                          7⤵
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                          PID:1964
                                                                                                                                                        • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                          "C:\Windows\system32\Shell.exe"
                                                                                                                                                          7⤵
                                                                                                                                                            PID:1116
                                                                                                                                                      • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                        "C:\Windows\system32\Shell.exe"
                                                                                                                                                        5⤵
                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                        • Modifies visibility of file extensions in Explorer
                                                                                                                                                        • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                                        • Disables RegEdit via registry modification
                                                                                                                                                        • Disables cmd.exe use via registry modification
                                                                                                                                                        • Modifies system executable filetype association
                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                        • Modifies WinLogon
                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                        • Modifies Internet Explorer start page
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        • System policy modification
                                                                                                                                                        PID:2644
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 408
                                                                                                                                                          6⤵
                                                                                                                                                          • Program crash
                                                                                                                                                          PID:1236
                                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                                            7⤵
                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                            PID:668
                                                                                                                                                          • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                            "C:\Windows\system32\Shell.exe"
                                                                                                                                                            7⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                            PID:2864
                                                                                                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                    C:\Windows\system32\IExplorer.exe
                                                                                                                                                    3⤵
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                    PID:2788
                                                                                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1296
                                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2816
                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:3032
                                                                                                                                                        • C:\Windows\Tiwi.exe
                                                                                                                                                          C:\Windows\Tiwi.exe
                                                                                                                                                          3⤵
                                                                                                                                                            PID:892
                                                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                                                            3⤵
                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                            • Disables RegEdit via registry modification
                                                                                                                                                            • Disables cmd.exe use via registry modification
                                                                                                                                                            • Modifies system executable filetype association
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            • Modifies WinLogon
                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                            • Modifies Control Panel
                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                            • Modifies Internet Explorer start page
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            • System policy modification
                                                                                                                                                            PID:1016
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 372
                                                                                                                                                              4⤵
                                                                                                                                                              • Program crash
                                                                                                                                                              PID:2232
                                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                                5⤵
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                PID:2692
                                                                                                                                                              • C:\Windows\SysWOW64\Shell.exe
                                                                                                                                                                "C:\Windows\system32\Shell.exe"
                                                                                                                                                                5⤵
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                PID:2436
                                                                                                                                                          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                            3⤵
                                                                                                                                                              PID:1920
                                                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                              3⤵
                                                                                                                                                                PID:1900
                                                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:2564
                                                                                                                                                                • C:\Windows\Tiwi.exe
                                                                                                                                                                  C:\Windows\Tiwi.exe
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:2772
                                                                                                                                                                  • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                    C:\Windows\system32\IExplorer.exe
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    PID:2720
                                                                                                                                                                  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:2108
                                                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:484
                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:2176
                                                                                                                                                                        • C:\Windows\Tiwi.exe
                                                                                                                                                                          C:\Windows\Tiwi.exe
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:1164
                                                                                                                                                                          • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                            C:\Windows\system32\IExplorer.exe
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:1964
                                                                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:1732
                                                                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:2968
                                                                                                                                                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:1720
                                                                                                                                                                                  • C:\Windows\Tiwi.exe
                                                                                                                                                                                    C:\Windows\Tiwi.exe
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:2804
                                                                                                                                                                                    • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                                      C:\Windows\system32\IExplorer.exe
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                      PID:2544
                                                                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:2604
                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:772
                                                                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:2904
                                                                                                                                                                                          • C:\Windows\Tiwi.exe
                                                                                                                                                                                            C:\Windows\Tiwi.exe
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:1572
                                                                                                                                                                                            • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                                              C:\Windows\system32\IExplorer.exe
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                              PID:2096
                                                                                                                                                                                            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                                              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                                              3⤵
                                                                                                                                                                                                PID:2160
                                                                                                                                                                                              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                                                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:2784
                                                                                                                                                                                                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                                                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:2772
                                                                                                                                                                                                  • C:\Windows\Tiwi.exe
                                                                                                                                                                                                    C:\Windows\Tiwi.exe
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:3056
                                                                                                                                                                                                    • C:\Windows\SysWOW64\IExplorer.exe
                                                                                                                                                                                                      C:\Windows\system32\IExplorer.exe
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      PID:1696
                                                                                                                                                                                                    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
                                                                                                                                                                                                      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:1084
                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
                                                                                                                                                                                                        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1964
                                                                                                                                                                                                        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
                                                                                                                                                                                                          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:1364

                                                                                                                                                                                                      Network

                                                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        45KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        55a706d7a466bcd86df2ad63ada72fbe

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        bdedc34a925890899501a331bff2fae343fedf8f

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        97aaa7e192a3f439b7a7d92de64c4e2b7d35d318b8fd05ffd776c316bd10a415

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        ee3f69fc1fc93300a01a88c1f45ecb59174d72b5dc11d7bd17a06e67357a2d8baba41f88bbb5eb18b4f134e314edcda35be3c01f57692e44ca4fa9eca57f7d6e

                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        aa69191cb4f92cad489cd889004fa9b8

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        e75463d030a0515d9bd1f06e20f7ab9dfa33b894

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        e2741f64cb8b53fa8f289c2d9d620bb84f7653737b9f6d3c748741ee44e9bb87

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        84d9d124e7c24d7d965476a11e2cd11eddd42f686541d8d8b7c2f26005f06dad1289e12bf9ea75e50ca4f29e39cf8ef32ec0860710e4e674de351d50901fecfa

                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        d9330ff2d2897a49a5f211b48ecf81a0

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        0d613128a90323fa0b7382f133bf3be6ad5b7969

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        73b47bf2bafbbe72876e5169bd055672d86b613b3281e856354d3c99757ff515

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        94f45c648baee8eb06da9a5183a632580c9f5108dae8c037e260d393aae128dca1cbacd67f3a3c139664d6d06fd16add09ec6f9ae45dad9fcdd8a7c80878133b

                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        45KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        659a4d5bab8f07fc941d96adb4e5aa45

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        4d5d1a612e05ffedbd14ecfeb5c160d52778972f

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        d3170cb5cb0db3a05229f49fa560ecb368081e31b9a27f7e15aff7f65972a191

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        15e1a9310825c7551a063c1a718058ab541ad253009d6526ea840bafa904a371455d8cee31174d9310c1bc86551d8f2e222aed6717cf2fa4620b214803a2f9e9

                                                                                                                                                                                                      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        3b6a400aa725fdb60e58b1df7ace9fd4

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        c24fc15a6e736f24cf402c6a2f899f78cfa22196

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        16748030ecaacc44f345066feb545c9e73b9e3c0c71735ecf3d67f0de738c4ba

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        5e1463f3a3b7c04410c0ee68837298c20f0f36d762d25ffc92bb910641597fb8b352e555c516b9f210fc58fbe94e262e16421bd5996cc63834f9a19cb8881289

                                                                                                                                                                                                      • C:\Windows\SysWOW64\shell.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        056b173fa9ff84e06fef62a4ad9b73d6

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        f8d81e1aefb34ba4b18a4a193063dd12d0fafd4c

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        3a5cbd8a04b3085328507e7d930dd82ba57c5c62145d94ed749a4c80e47b9a8d

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        51732668acdaeba5077cd7122960c254f85d12078ec49a8501a9b354370d5fe1574c5e1b47f7905243106aa7ff5ff68c00f62a7155de82e5eece48c41e7aa890

                                                                                                                                                                                                      • C:\Windows\msvbvm60.dll

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        5343a19c618bc515ceb1695586c6c137

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        4dedae8cbde066f31c8e6b52c0baa3f8b1117742

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

                                                                                                                                                                                                      • C:\Windows\tiwi.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        b865f38ee602d4bea7f49e50927e3f27

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        fea877d1f07eda4c2fb7d0d9d8ad8adfdbd13582

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        4048cce7679d3c64a6b55cd40e8392f967ad2078697e9c4b080a52a01e166d5a

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        71a848f6bc6365365703371d8154c883355617232a9a9eb405ef9a95bd4ad6bdcf15b69668a856b76e892dd9cb36637452fc1c175c0993c847cfe5142feaf276

                                                                                                                                                                                                      • C:\present.txt

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        729B

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        8e3c734e8dd87d639fb51500d42694b5

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

                                                                                                                                                                                                      • C:\present.txt

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        512B

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        ed5c022f6901de82f05443f0c07b6429

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        227bd0df415110e288e2ac87fed05a8583930be6

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        26019fdf40f8bb69e8c4af78486ac41df6d3874dc1fcf6f7d26a35bf500cb59a

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        ed1c5d6f99c5d00537503ab4c84394a732e3dc6f22d0614075cac3d420d1ea23c45b22873efbd221ad6539a15930df88a383f64a5f6d5953bc533869a807659b

                                                                                                                                                                                                      • C:\tiwi.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        852db07229417671de463a1159058cb5

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        a4c02a75a8cdf4c8a6c3685bfdfea6ba64e4a4f6

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        48a50ba696262fab3f7409ab5bd03f9c490bbebb1d5b643f9a7017b216b5f7fc

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        eead9868dc28c8113b6d04f5416b4a11f4180cde89d0088d9efe80763fcd24fd1e6b8c4fd54e2a91901c266884ace354ae30a104b2a867b82ec1a86197f4d9c1

                                                                                                                                                                                                      • C:\tiwi.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        eb2c03dc9d3e0820e2d7b8976d7242b7

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        02e5d38f76702f7b8623bcb1fba69f65fbe9cbcd

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        7bb7ab0031cf35e445e522d6889f458441cb2132497a253ef81503fbca06cf09

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        dc20d9d37afaaf5fec19a67f40ea566669344df6ee01c092c523bdf943b3cb931e7bf0d65f1da2b3a8b0bdcac2488bafd4b71c0ac5a4ba382ae076332b83dbe9

                                                                                                                                                                                                      • F:\autorun.inf

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        39B

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        415c421ba7ae46e77bdee3a681ecc156

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        b0db5782b7688716d6fc83f7e650ffe1143201b7

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

                                                                                                                                                                                                      • \Users\Admin\AppData\Local\WINDOWS\cute.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        9eef7423ec718c992ae29b9c51839311

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        c9abdf9b72dad26600d50a59b8e8166f9d46b3f7

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        becd1a11a7d05885890cb7159a12ebba575a989f74b34c339e9f0178c70ab29a

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        d250194bcea68dd37e3027fd3ae2a12eba0582fedc51c0698031380a3ccf06f18ed75b0ff316ec1d6ef021a03e2bd3550a072b2a733b7baf1e291801485dff1a

                                                                                                                                                                                                      • \Users\Admin\AppData\Local\WINDOWS\imoet.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        b9d3fd23c01b931604cadf662c947f6b

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        9b69777e6d29202710cf0bf11936af0ded0132c2

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        929b781556e60891e8bcc14a388c20902c42aebb0a7104be04bd5eb647b1001e

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        18205e13dfd268189a235cf9cf4c066456012a75bcce81041550c3774c86413a990d092aa3b2a41b586ea37174519f421526e69a8555b43146b5e2b5b592c9c7

                                                                                                                                                                                                      • \Users\Admin\AppData\Local\WINDOWS\winlogon.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        7cb686d2210f20a01c6528cc1941aeda

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        e4a5639cbe500280abd20980b834a595343b82f9

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        d8d902df175782140a2fefa9832f697deaa9f6ab3ace7ff8aeb8000c516ca55d

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        0d69521f81ecb10c1bfe6c03e0ee61d456897b067bbd70bbca1964af78fab83245ce57ee2f2d05856765a0ed92b567f5fd08efd46064756deb7a50c67d2ecc3d

                                                                                                                                                                                                      • \Windows\SysWOW64\IExplorer.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        200c2fc562b34c506d94a4deb133bf1c

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        9c417dad454522da2753ba950c2b9bbceb89d824

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        f51a921aa7b6c8a4f3905343af4d768a1b00393a6d5d443d02e49e0d64a955c6

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        2e77456f7cb9f7af852e0977e2b1b89e75d91148650f1167522707df14d0da6d4d838b6f1521c9506f9d191ecacb7ea57a2c07cbfa891ae3c71a5f4ceaab3092

                                                                                                                                                                                                      • \Windows\SysWOW64\shell.exe

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        196KB

                                                                                                                                                                                                        MD5

                                                                                                                                                                                                        497bf1a720222fbf71f98aa6243f90ff

                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                        d8b437e51abf3a254dc19253139ff0cc2222d361

                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                        6cc64e6543feb7ab3c892c62915de87395ed77354b5d71bdaa4146a08e9f5742

                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                        9e06255655f0255ae82f14ff302e2a7a169ffe6cc292472d3811078b845f41c6a787295db9c150df8d9baad8aa7e33dc09965312b66567a861d6142d9c408b4e

                                                                                                                                                                                                      • memory/272-275-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/344-220-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/596-200-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/1100-274-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/1464-210-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/1544-490-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/1576-0-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/1668-421-0x0000000000220000-0x0000000000230000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        64KB

                                                                                                                                                                                                      • memory/1756-428-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2020-393-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2120-458-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2200-141-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/2256-183-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2408-404-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/2464-98-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/2604-356-0x0000000072940000-0x0000000072A93000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                      • memory/2612-430-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      • memory/2952-104-0x0000000000400000-0x000000000042A000-memory.dmp

                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                        168KB

                                                                                                                                                                                                      We care about your privacy.

                                                                                                                                                                                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.