Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 20:46
Behavioral task
behavioral1
Sample
32a27ccd8f957c5124a1b14332a74d20N.exe
Resource
win7-20240704-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
32a27ccd8f957c5124a1b14332a74d20N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
27 signatures
120 seconds
General
-
Target
32a27ccd8f957c5124a1b14332a74d20N.exe
-
Size
190KB
-
MD5
32a27ccd8f957c5124a1b14332a74d20
-
SHA1
5efe4f64e26b616822c6eb2e61f0790fd753068c
-
SHA256
ce5cc4257768b68406ea4969fb5e2b6aac5cc269e2df34213d5e7f8b2d8d9733
-
SHA512
5a0ad8a5e66329a0fc1809c9ed8aa7251a27a91baeb4cfc6f88ba3ca98e1243eb0e0c3e63454b78f391f9f1b977323a47c85d9407fb174b76d3e4e3adb5e3595
-
SSDEEP
3072:HGBT753Q+RgWgMlIx1ZiXjb6aEF6D0NM9voeLNZ2j8CP2:m753RgWg4aAXjb6aEFfooeLNZxC
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 32a27ccd8f957c5124a1b14332a74d20N.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 32a27ccd8f957c5124a1b14332a74d20N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 32a27ccd8f957c5124a1b14332a74d20N.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 32a27ccd8f957c5124a1b14332a74d20N.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 32a27ccd8f957c5124a1b14332a74d20N.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
pid Process 2568 Tiwi.exe 2108 Shell.exe 2676 Shell.exe 1904 Shell.exe 1028 Shell.exe 1424 Shell.exe 2824 Shell.exe 108 Shell.exe 2320 Shell.exe 1240 Shell.exe 2304 Shell.exe 1720 Shell.exe 1796 Shell.exe 2068 Shell.exe 1216 Shell.exe 2924 Shell.exe 1548 Shell.exe 1016 Shell.exe 852 Shell.exe 1840 Shell.exe 920 Shell.exe 1580 Shell.exe 2908 Shell.exe 688 Shell.exe 288 Shell.exe 1952 Shell.exe 2112 Shell.exe 2372 Shell.exe 1516 Shell.exe 2248 Shell.exe 1564 Shell.exe 2244 Shell.exe 1692 Shell.exe 2976 Shell.exe 1644 Shell.exe 2640 Shell.exe 2724 Shell.exe 2748 Shell.exe 2624 Shell.exe 2716 Shell.exe 2660 Shell.exe 3012 Shell.exe 2540 Shell.exe 2508 Shell.exe 2992 Shell.exe 3000 Shell.exe 2856 Shell.exe 1828 Shell.exe 2288 Shell.exe 2780 Shell.exe 1496 Shell.exe 1896 Shell.exe 2912 Shell.exe 996 Shell.exe 2064 Shell.exe 1104 Shell.exe 572 Shell.exe 1572 Shell.exe 880 Shell.exe 1336 Shell.exe 1528 Shell.exe 1244 Shell.exe 560 Shell.exe 2116 Shell.exe -
Loads dropped DLL 64 IoCs
pid Process 2192 WerFault.exe 2192 WerFault.exe 2024 WerFault.exe 2024 WerFault.exe 1928 WerFault.exe 1928 WerFault.exe 1520 WerFault.exe 1520 WerFault.exe 1340 WerFault.exe 1340 WerFault.exe 2832 WerFault.exe 2832 WerFault.exe 1656 WerFault.exe 1656 WerFault.exe 1248 WerFault.exe 1248 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2184 WerFault.exe 2184 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 2296 WerFault.exe 2296 WerFault.exe 1464 WerFault.exe 1464 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 812 WerFault.exe 812 WerFault.exe 736 WerFault.exe 736 WerFault.exe 1660 WerFault.exe 1660 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 732 WerFault.exe 732 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 1944 WerFault.exe 1944 WerFault.exe 1000 WerFault.exe 1000 WerFault.exe 3040 WerFault.exe 3040 WerFault.exe 2576 WerFault.exe 2576 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 1732 WerFault.exe 1732 WerFault.exe 2896 WerFault.exe 2896 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe -
resource yara_rule behavioral1/memory/2220-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0003000000017801-7.dat upx behavioral1/memory/2220-94-0x0000000001BD0000-0x0000000001C04000-memory.dmp upx behavioral1/files/0x000700000001722f-99.dat upx behavioral1/files/0x0003000000017801-102.dat upx behavioral1/memory/2108-105-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/108-137-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2220-136-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2568-154-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2108-160-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2676-166-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1904-172-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1028-178-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1424-184-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2824-190-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/108-196-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2320-202-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1240-208-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2304-214-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1580-223-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1720-221-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1796-224-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2068-227-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1216-230-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2924-233-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1548-236-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1016-239-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/852-242-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1840-245-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/920-248-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1580-251-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2908-254-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/688-257-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/288-260-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1952-263-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2112-266-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2372-269-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1516-272-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2248-275-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1564-278-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2244-281-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1692-284-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2976-287-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1644-290-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2640-293-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2724-296-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2748-299-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2624-302-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2716-305-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2660-308-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3012-311-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2540-314-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2508-317-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2992-320-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3000-323-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2856-326-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1828-329-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2288-332-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2780-335-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1496-338-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1896-341-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2912-344-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/996-347-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2064-350-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 32a27ccd8f957c5124a1b14332a74d20N.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\V: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\X: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\Z: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\R: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\B: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\K: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\N: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\O: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\M: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\U: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\E: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\G: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\I: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\J: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\T: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\W: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\Y: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\H: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\L: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\Q: 32a27ccd8f957c5124a1b14332a74d20N.exe File opened (read-only) \??\S: 32a27ccd8f957c5124a1b14332a74d20N.exe -
Modifies WinLogon 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 32a27ccd8f957c5124a1b14332a74d20N.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 32a27ccd8f957c5124a1b14332a74d20N.exe File created C:\autorun.inf 32a27ccd8f957c5124a1b14332a74d20N.exe File opened for modification C:\autorun.inf 32a27ccd8f957c5124a1b14332a74d20N.exe File created F:\autorun.inf 32a27ccd8f957c5124a1b14332a74d20N.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tiwi.scr 32a27ccd8f957c5124a1b14332a74d20N.exe File opened for modification C:\Windows\SysWOW64\shell.exe 32a27ccd8f957c5124a1b14332a74d20N.exe File created C:\Windows\SysWOW64\shell.exe 32a27ccd8f957c5124a1b14332a74d20N.exe File created C:\Windows\SysWOW64\tiwi.scr 32a27ccd8f957c5124a1b14332a74d20N.exe File created C:\Windows\SysWOW64\IExplorer.exe 32a27ccd8f957c5124a1b14332a74d20N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 32a27ccd8f957c5124a1b14332a74d20N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\tiwi.exe 32a27ccd8f957c5124a1b14332a74d20N.exe File created C:\Windows\tiwi.exe 32a27ccd8f957c5124a1b14332a74d20N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2192 2568 WerFault.exe 30 2024 2108 WerFault.exe 32 1928 2676 WerFault.exe 34 1520 1904 WerFault.exe 36 1340 1028 WerFault.exe 38 2832 1424 WerFault.exe 40 1656 2824 WerFault.exe 42 1248 108 WerFault.exe 44 2308 2320 WerFault.exe 46 2928 1240 WerFault.exe 48 2184 2304 WerFault.exe 50 1908 1720 WerFault.exe 52 2296 1796 WerFault.exe 54 1464 2068 WerFault.exe 56 1844 1216 WerFault.exe 58 812 2924 WerFault.exe 60 736 1548 WerFault.exe 62 1660 1016 WerFault.exe 64 1352 852 WerFault.exe 66 732 1840 WerFault.exe 68 1416 920 WerFault.exe 70 1484 1580 WerFault.exe 72 2336 2908 WerFault.exe 74 2368 688 WerFault.exe 76 1944 288 WerFault.exe 78 1000 1952 WerFault.exe 80 3040 2112 WerFault.exe 82 2576 2372 WerFault.exe 84 2348 1516 WerFault.exe 86 1732 2248 WerFault.exe 88 2896 1564 WerFault.exe 90 1964 2244 WerFault.exe 92 3024 1692 WerFault.exe 94 3064 2976 WerFault.exe 96 2632 1644 WerFault.exe 98 2712 2640 WerFault.exe 100 2648 2724 WerFault.exe 102 2060 2748 WerFault.exe 104 2900 2624 WerFault.exe 106 2056 2716 WerFault.exe 108 2520 2660 WerFault.exe 110 1912 3012 WerFault.exe 112 2484 2540 WerFault.exe 114 2612 2508 WerFault.exe 116 2752 2992 WerFault.exe 118 1696 3000 WerFault.exe 120 2848 2856 WerFault.exe 122 912 1828 WerFault.exe 124 432 2288 WerFault.exe 126 760 2780 WerFault.exe 128 524 1496 WerFault.exe 130 2364 1896 WerFault.exe 132 2920 2912 WerFault.exe 134 2012 996 WerFault.exe 136 2104 2064 WerFault.exe 138 1652 1104 WerFault.exe 140 1328 572 WerFault.exe 142 1088 1572 WerFault.exe 144 2492 880 WerFault.exe 146 1756 1336 WerFault.exe 148 1508 1528 WerFault.exe 150 924 1244 WerFault.exe 152 1032 560 WerFault.exe 154 1980 2116 WerFault.exe 156 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies Control Panel 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\ 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s1159 = "Tiwi" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Mouse\SwapMouseButtons = "1" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s2359 = "Tiwi" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Mouse\ 32a27ccd8f957c5124a1b14332a74d20N.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\ 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 32a27ccd8f957c5124a1b14332a74d20N.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 32a27ccd8f957c5124a1b14332a74d20N.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 32a27ccd8f957c5124a1b14332a74d20N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 32a27ccd8f957c5124a1b14332a74d20N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2220 32a27ccd8f957c5124a1b14332a74d20N.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2220 32a27ccd8f957c5124a1b14332a74d20N.exe 2568 Tiwi.exe 2108 Shell.exe 2676 Shell.exe 1904 Shell.exe 1028 Shell.exe 1424 Shell.exe 2824 Shell.exe 108 Shell.exe 2320 Shell.exe 1240 Shell.exe 2304 Shell.exe 1720 Shell.exe 1796 Shell.exe 2068 Shell.exe 1216 Shell.exe 2924 Shell.exe 1548 Shell.exe 1016 Shell.exe 852 Shell.exe 1840 Shell.exe 920 Shell.exe 1580 Shell.exe 2908 Shell.exe 688 Shell.exe 288 Shell.exe 1952 Shell.exe 2112 Shell.exe 2372 Shell.exe 1516 Shell.exe 2248 Shell.exe 1564 Shell.exe 2244 Shell.exe 1692 Shell.exe 2976 Shell.exe 1644 Shell.exe 2640 Shell.exe 2724 Shell.exe 2748 Shell.exe 2624 Shell.exe 2716 Shell.exe 2660 Shell.exe 3012 Shell.exe 2540 Shell.exe 2508 Shell.exe 2992 Shell.exe 3000 Shell.exe 2856 Shell.exe 1828 Shell.exe 2288 Shell.exe 2780 Shell.exe 1496 Shell.exe 1896 Shell.exe 2912 Shell.exe 996 Shell.exe 2064 Shell.exe 1104 Shell.exe 572 Shell.exe 1572 Shell.exe 880 Shell.exe 1336 Shell.exe 1528 Shell.exe 1244 Shell.exe 560 Shell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2568 2220 32a27ccd8f957c5124a1b14332a74d20N.exe 30 PID 2220 wrote to memory of 2568 2220 32a27ccd8f957c5124a1b14332a74d20N.exe 30 PID 2220 wrote to memory of 2568 2220 32a27ccd8f957c5124a1b14332a74d20N.exe 30 PID 2220 wrote to memory of 2568 2220 32a27ccd8f957c5124a1b14332a74d20N.exe 30 PID 2568 wrote to memory of 2192 2568 Tiwi.exe 31 PID 2568 wrote to memory of 2192 2568 Tiwi.exe 31 PID 2568 wrote to memory of 2192 2568 Tiwi.exe 31 PID 2568 wrote to memory of 2192 2568 Tiwi.exe 31 PID 2108 wrote to memory of 2024 2108 Shell.exe 33 PID 2108 wrote to memory of 2024 2108 Shell.exe 33 PID 2108 wrote to memory of 2024 2108 Shell.exe 33 PID 2108 wrote to memory of 2024 2108 Shell.exe 33 PID 2676 wrote to memory of 1928 2676 Shell.exe 35 PID 2676 wrote to memory of 1928 2676 Shell.exe 35 PID 2676 wrote to memory of 1928 2676 Shell.exe 35 PID 2676 wrote to memory of 1928 2676 Shell.exe 35 PID 1904 wrote to memory of 1520 1904 Shell.exe 37 PID 1904 wrote to memory of 1520 1904 Shell.exe 37 PID 1904 wrote to memory of 1520 1904 Shell.exe 37 PID 1904 wrote to memory of 1520 1904 Shell.exe 37 PID 1028 wrote to memory of 1340 1028 Shell.exe 39 PID 1028 wrote to memory of 1340 1028 Shell.exe 39 PID 1028 wrote to memory of 1340 1028 Shell.exe 39 PID 1028 wrote to memory of 1340 1028 Shell.exe 39 PID 1424 wrote to memory of 2832 1424 Shell.exe 41 PID 1424 wrote to memory of 2832 1424 Shell.exe 41 PID 1424 wrote to memory of 2832 1424 Shell.exe 41 PID 1424 wrote to memory of 2832 1424 Shell.exe 41 PID 2824 wrote to memory of 1656 2824 Shell.exe 43 PID 2824 wrote to memory of 1656 2824 Shell.exe 43 PID 2824 wrote to memory of 1656 2824 Shell.exe 43 PID 2824 wrote to memory of 1656 2824 Shell.exe 43 PID 108 wrote to memory of 1248 108 Shell.exe 45 PID 108 wrote to memory of 1248 108 Shell.exe 45 PID 108 wrote to memory of 1248 108 Shell.exe 45 PID 108 wrote to memory of 1248 108 Shell.exe 45 PID 2320 wrote to memory of 2308 2320 Shell.exe 47 PID 2320 wrote to memory of 2308 2320 Shell.exe 47 PID 2320 wrote to memory of 2308 2320 Shell.exe 47 PID 2320 wrote to memory of 2308 2320 Shell.exe 47 PID 1240 wrote to memory of 2928 1240 Shell.exe 49 PID 1240 wrote to memory of 2928 1240 Shell.exe 49 PID 1240 wrote to memory of 2928 1240 Shell.exe 49 PID 1240 wrote to memory of 2928 1240 Shell.exe 49 PID 2304 wrote to memory of 2184 2304 Shell.exe 51 PID 2304 wrote to memory of 2184 2304 Shell.exe 51 PID 2304 wrote to memory of 2184 2304 Shell.exe 51 PID 2304 wrote to memory of 2184 2304 Shell.exe 51 PID 1720 wrote to memory of 1908 1720 Shell.exe 53 PID 1720 wrote to memory of 1908 1720 Shell.exe 53 PID 1720 wrote to memory of 1908 1720 Shell.exe 53 PID 1720 wrote to memory of 1908 1720 Shell.exe 53 PID 1796 wrote to memory of 2296 1796 Shell.exe 55 PID 1796 wrote to memory of 2296 1796 Shell.exe 55 PID 1796 wrote to memory of 2296 1796 Shell.exe 55 PID 1796 wrote to memory of 2296 1796 Shell.exe 55 PID 2068 wrote to memory of 1464 2068 Shell.exe 57 PID 2068 wrote to memory of 1464 2068 Shell.exe 57 PID 2068 wrote to memory of 1464 2068 Shell.exe 57 PID 2068 wrote to memory of 1464 2068 Shell.exe 57 PID 1216 wrote to memory of 1844 1216 Shell.exe 59 PID 1216 wrote to memory of 1844 1216 Shell.exe 59 PID 1216 wrote to memory of 1844 1216 Shell.exe 59 PID 1216 wrote to memory of 1844 1216 Shell.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 32a27ccd8f957c5124a1b14332a74d20N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 32a27ccd8f957c5124a1b14332a74d20N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32a27ccd8f957c5124a1b14332a74d20N.exe"C:\Users\Admin\AppData\Local\Temp\32a27ccd8f957c5124a1b14332a74d20N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2220 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 2163⤵
- Loads dropped DLL
- Program crash
PID:2192 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 2365⤵
- Loads dropped DLL
- Program crash
PID:2024 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 2567⤵
- Loads dropped DLL
- Program crash
PID:1928 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 2769⤵
- Loads dropped DLL
- Program crash
PID:1520 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 29611⤵
- Loads dropped DLL
- Program crash
PID:1340 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 31613⤵
- Loads dropped DLL
- Program crash
PID:2832 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 33615⤵
- Loads dropped DLL
- Program crash
PID:1656 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 35617⤵
- Loads dropped DLL
- Program crash
PID:1248 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 37619⤵
- Loads dropped DLL
- Program crash
PID:2308 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 39621⤵
- Loads dropped DLL
- Program crash
PID:2928 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 41623⤵
- Loads dropped DLL
- Program crash
PID:2184 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 43625⤵
- Loads dropped DLL
- Program crash
PID:1908 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 45627⤵
- Loads dropped DLL
- Program crash
PID:2296 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 47629⤵
- Loads dropped DLL
- Program crash
PID:1464 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 49631⤵
- Loads dropped DLL
- Program crash
PID:1844 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 51633⤵
- Loads dropped DLL
- Program crash
PID:812 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 53635⤵
- Loads dropped DLL
- Program crash
PID:736 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 55637⤵
- Loads dropped DLL
- Program crash
PID:1660 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 57639⤵
- Loads dropped DLL
- Program crash
PID:1352 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 59641⤵
- Loads dropped DLL
- Program crash
PID:732 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 61643⤵
- Loads dropped DLL
- Program crash
PID:1416 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"44⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1580 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 63645⤵
- Loads dropped DLL
- Program crash
PID:1484 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"46⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 65647⤵
- Loads dropped DLL
- Program crash
PID:2336 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"48⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 67649⤵
- Loads dropped DLL
- Program crash
PID:2368 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"50⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 69651⤵
- Loads dropped DLL
- Program crash
PID:1944 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"52⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 71653⤵
- Loads dropped DLL
- Program crash
PID:1000 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"54⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 73655⤵
- Loads dropped DLL
- Program crash
PID:3040 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"56⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 75657⤵
- Loads dropped DLL
- Program crash
PID:2576 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"58⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 77659⤵
- Loads dropped DLL
- Program crash
PID:2348 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"60⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 79661⤵
- Loads dropped DLL
- Program crash
PID:1732 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"62⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 81663⤵
- Loads dropped DLL
- Program crash
PID:2896 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"64⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 83665⤵
- Loads dropped DLL
- Program crash
PID:1964 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"66⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 85667⤵
- Program crash
PID:3024 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"68⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 87669⤵
- Program crash
PID:3064 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"70⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 89671⤵
- Program crash
PID:2632 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 91673⤵
- Program crash
PID:2712 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"74⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 93675⤵
- Program crash
PID:2648 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"76⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 95677⤵
- Program crash
PID:2060 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"78⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 97679⤵
- Program crash
PID:2900 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"80⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 99681⤵
- Program crash
PID:2056 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"82⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 101683⤵
- Program crash
PID:2520 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"84⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 104085⤵
- Program crash
PID:1912 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"86⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 106087⤵
- Program crash
PID:2484 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"88⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 108089⤵
- Program crash
PID:2612 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"90⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 110091⤵
- Program crash
PID:2752 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"92⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 112093⤵
- Program crash
PID:1696 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"94⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 114095⤵
- Program crash
PID:2848 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"96⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 116097⤵
- Program crash
PID:912 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"98⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 118099⤵
- Program crash
PID:432 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"100⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1200101⤵
- Program crash
PID:760 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"102⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1220103⤵
- Program crash
PID:524 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"104⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1240105⤵
- Program crash
PID:2364 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"106⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1260107⤵
- Program crash
PID:2920 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"108⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1280109⤵
- Program crash
PID:2012 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"110⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1300111⤵
- Program crash
PID:2104 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"112⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1320113⤵
- Program crash
PID:1652 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"114⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 1340115⤵
- Program crash
PID:1328 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"116⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1360117⤵
- Program crash
PID:1088 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"118⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1380119⤵
- Program crash
PID:2492 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"120⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1400121⤵
- Program crash
PID:1756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-