ce5cc4257768b68406ea4969fb5e2b6aac5cc269e2df34213d5e7f8b2d8d9733

Analysis

max time kernel
119s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32a27ccd8f957c5124a1b14332a74d20N.exe
Size

190KB
MD5

32a27ccd8f957c5124a1b14332a74d20
SHA1

5efe4f64e26b616822c6eb2e61f0790fd753068c
SHA256

ce5cc4257768b68406ea4969fb5e2b6aac5cc269e2df34213d5e7f8b2d8d9733
SHA512

5a0ad8a5e66329a0fc1809c9ed8aa7251a27a91baeb4cfc6f88ba3ca98e1243eb0e0c3e63454b78f391f9f1b977323a47c85d9407fb174b76d3e4e3adb5e3595
SSDEEP

3072:HGBT753Q+RgWgMlIx1ZiXjb6aEF6D0NM9voeLNZ2j8CP2:m753RgWg4aAXjb6aEFfooeLNZxC

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	32a27ccd8f957c5124a1b14332a74d20N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe

Disables RegEdit via registry modification 5 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 5 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
3476	Tiwi.exe
4476	Shell.exe
1644	Shell.exe
4808	Shell.exe
4708	Shell.exe
2156	Shell.exe
2004	Shell.exe
1736	Shell.exe
512	Shell.exe
1248	Shell.exe
2648	Shell.exe
4880	Shell.exe
1472	Shell.exe
2244	Shell.exe
3928	Shell.exe
2460	Shell.exe
2188	Shell.exe
4832	Shell.exe
3128	Shell.exe
1616	Shell.exe
376	Shell.exe
1416	Shell.exe
1676	Shell.exe
3144	Shell.exe
2940	Shell.exe
4408	Shell.exe
2124	Shell.exe
1564	Shell.exe
4628	Shell.exe
4936	Shell.exe
1472	Shell.exe
1792	IExplorer.exe
3736	Tiwi.exe
3140	Shell.exe
1488	Shell.exe
2660	Shell.exe
4736	Shell.exe
4904	Shell.exe
3572	Shell.exe
1808	Shell.exe
2636	Shell.exe
4224	Shell.exe
2348	Shell.exe
224	Shell.exe
3164	Shell.exe
2708	Shell.exe
3244	Shell.exe
2720	Shell.exe
3440	Shell.exe
4436	Shell.exe
3968	Shell.exe
3724	Shell.exe
3148	Shell.exe
2940	Shell.exe
4592	Shell.exe
2124	Shell.exe
3496	Shell.exe
1668	Shell.exe
2328	Shell.exe
884	Shell.exe
4576	Shell.exe
400	Shell.exe
1480	Shell.exe
1644	IExplorer.exe

Loads dropped DLL 4 IoCs

pid	Process
3164	Tiwi.exe
2004	Tiwi.exe
1028	Tiwi.exe
4068	Tiwi.exe

Modifies system executable filetype association 2 TTPs 57 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3076-0-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x0007000000023473-7.dat	upx
behavioral2/files/0x0007000000023471-94.dat	upx
behavioral2/memory/3476-95-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x0007000000023473-99.dat	upx
behavioral2/memory/4476-100-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4708-113-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2156-117-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4808-118-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1736-123-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1736-126-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/512-130-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2004-131-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1644-132-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3076-134-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3476-138-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4476-142-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4880-145-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1472-149-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2648-150-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3928-157-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2460-161-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2244-162-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1248-163-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1616-176-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/376-180-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3128-181-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1676-188-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3144-192-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1416-193-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4832-194-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2188-202-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2124-205-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1564-209-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4408-210-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4936-217-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1472-221-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4628-222-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2940-223-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x0007000000023475-225.dat	upx
behavioral2/memory/1792-227-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1792-230-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x0007000000023471-274.dat	upx
behavioral2/memory/3736-275-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3140-279-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x0007000000023473-278.dat	upx
behavioral2/memory/4736-291-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4904-295-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2660-296-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1808-303-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2636-305-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2636-308-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3572-309-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1488-310-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3736-315-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3140-319-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/224-322-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3164-326-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2348-327-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3244-334-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2720-338-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2708-339-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4224-340-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3724-353-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\H:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\J:	Shell.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\T:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\B:	Shell.exe
File opened (read-only)	\??\Y:	Shell.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\S:	cute.exe
File opened (read-only)	\??\S:	Shell.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\X:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\P:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\Q:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\O:	Shell.exe
File opened (read-only)	\??\S:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\Y:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\E:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\H:	Shell.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\L:	Shell.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\B:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\R:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\I:	Shell.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\Z:	Shell.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\O:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\N:	Shell.exe
File opened (read-only)	\??\V:	Shell.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\Q:	Shell.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\P:	Tiwi.exe
File opened (read-only)	\??\I:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\K:	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\I:	cute.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\B:	winlogon.exe

Modifies WinLogon 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened for modification	C:\autorun.inf	32a27ccd8f957c5124a1b14332a74d20N.exe
File created	F:\autorun.inf	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened for modification	F:\autorun.inf	32a27ccd8f957c5124a1b14332a74d20N.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	32a27ccd8f957c5124a1b14332a74d20N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\tiwi.scr	32a27ccd8f957c5124a1b14332a74d20N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	32a27ccd8f957c5124a1b14332a74d20N.exe
File created	C:\Windows\SysWOW64\shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\tiwi.exe	32a27ccd8f957c5124a1b14332a74d20N.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\tiwi.exe	32a27ccd8f957c5124a1b14332a74d20N.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\tiwi.exe	Shell.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe

Program crash 50 IoCs

pid	pid_target	Process	procid_target
1624	3476	WerFault.exe	87
3480	4476	WerFault.exe	93
3232	1644	WerFault.exe	96
3244	4808	WerFault.exe	100
4512	2004	WerFault.exe	108
4632	1248	WerFault.exe	116
1988	2648	WerFault.exe	119
4088	2244	WerFault.exe	126
4592	2188	WerFault.exe	133
4384	4832	WerFault.exe	136
3780	3128	WerFault.exe	139
2720	1416	WerFault.exe	146
452	2940	WerFault.exe	153
1392	4408	WerFault.exe	156
4948	4628	WerFault.exe	163
1652	3736	WerFault.exe	178
4412	3140	WerFault.exe	181
2124	1488	WerFault.exe	184
4272	2660	WerFault.exe	187
1904	3572	WerFault.exe	194
1480	4224	WerFault.exe	201
2328	2348	WerFault.exe	204
4220	2708	WerFault.exe	211
2468	3440	WerFault.exe	218
1996	4436	WerFault.exe	221
464	3968	WerFault.exe	224
1000	2940	WerFault.exe	231
2440	3496	WerFault.exe	238
2156	1668	WerFault.exe	241
4380	4576	WerFault.exe	248
264	1704	WerFault.exe	258
2188	5028	WerFault.exe	261
3928	228	WerFault.exe	264
852	2192	WerFault.exe	267
2072	5092	WerFault.exe	274
3468	2424	WerFault.exe	281
3544	1028	WerFault.exe	284
1732	4720	WerFault.exe	291
4804	464	WerFault.exe	298
4440	3568	WerFault.exe	301
4756	2940	WerFault.exe	306
4376	1568	WerFault.exe	312
528	2664	WerFault.exe	319
4576	4412	WerFault.exe	322
4008	2556	WerFault.exe	329
3604	3080	WerFault.exe	339
4888	4576	WerFault.exe	352
4304	2332	WerFault.exe	358
4092	1668	WerFault.exe	365
4764	872	WerFault.exe	375

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	Tiwi.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe

Modifies Internet Explorer start page 1 TTPs 5 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3076	32a27ccd8f957c5124a1b14332a74d20N.exe
3076	32a27ccd8f957c5124a1b14332a74d20N.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3076	32a27ccd8f957c5124a1b14332a74d20N.exe
3476	Tiwi.exe
4476	Shell.exe
1644	Shell.exe
4808	Shell.exe
4708	Shell.exe
2156	Shell.exe
2004	Shell.exe
1736	Shell.exe
512	Shell.exe
1248	Shell.exe
2648	Shell.exe
4880	Shell.exe
1472	Shell.exe
2244	Shell.exe
3928	Shell.exe
2460	Shell.exe
2188	Shell.exe
4832	Shell.exe
3128	Shell.exe
1616	Shell.exe
376	Shell.exe
1416	Shell.exe
1676	Shell.exe
3144	Shell.exe
2940	Shell.exe
4408	Shell.exe
2124	Shell.exe
1564	Shell.exe
4628	Shell.exe
4936	Shell.exe
1472	Shell.exe
1792	IExplorer.exe
3736	Tiwi.exe
3140	Shell.exe
1488	Shell.exe
2660	Shell.exe
4736	Shell.exe
4904	Shell.exe
3572	Shell.exe
1808	Shell.exe
2636	Shell.exe
4224	Shell.exe
2348	Shell.exe
224	Shell.exe
3164	Shell.exe
2708	Shell.exe
3244	Shell.exe
2720	Shell.exe
3440	Shell.exe
4436	Shell.exe
3968	Shell.exe
3724	Shell.exe
3148	Shell.exe
2940	Shell.exe
4592	Shell.exe
2124	Shell.exe
3496	Shell.exe
1668	Shell.exe
2328	Shell.exe
884	Shell.exe
4576	Shell.exe
400	Shell.exe
1480	Shell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3476	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	87
PID 3076 wrote to memory of 3476	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	87
PID 3076 wrote to memory of 3476	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	87
PID 3076 wrote to memory of 1792	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	170
PID 3076 wrote to memory of 1792	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	170
PID 3076 wrote to memory of 1792	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	170
PID 3076 wrote to memory of 3736	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	178
PID 3076 wrote to memory of 3736	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	178
PID 3076 wrote to memory of 3736	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	178
PID 3076 wrote to memory of 1644	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	255
PID 3076 wrote to memory of 1644	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	255
PID 3076 wrote to memory of 1644	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	255
PID 3076 wrote to memory of 1704	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	258
PID 3076 wrote to memory of 1704	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	258
PID 3076 wrote to memory of 1704	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	258
PID 3076 wrote to memory of 464	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	298
PID 3076 wrote to memory of 464	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	298
PID 3076 wrote to memory of 464	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	298
PID 3076 wrote to memory of 2260	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	334
PID 3076 wrote to memory of 2260	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	334
PID 3076 wrote to memory of 2260	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	334
PID 3076 wrote to memory of 1216	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	338
PID 3076 wrote to memory of 1216	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	338
PID 3076 wrote to memory of 1216	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	338
PID 3076 wrote to memory of 3080	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	339
PID 3076 wrote to memory of 3080	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	339
PID 3076 wrote to memory of 3080	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	339
PID 2260 wrote to memory of 3164	2260	cute.exe	344
PID 2260 wrote to memory of 3164	2260	cute.exe	344
PID 2260 wrote to memory of 3164	2260	cute.exe	344
PID 3076 wrote to memory of 1360	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	345
PID 3076 wrote to memory of 1360	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	345
PID 3076 wrote to memory of 1360	3076	32a27ccd8f957c5124a1b14332a74d20N.exe	345
PID 2260 wrote to memory of 1500	2260	cute.exe	346
PID 2260 wrote to memory of 1500	2260	cute.exe	346
PID 2260 wrote to memory of 1500	2260	cute.exe	346
PID 2036 wrote to memory of 2004	2036	Shell.exe	347
PID 2036 wrote to memory of 2004	2036	Shell.exe	347
PID 2036 wrote to memory of 2004	2036	Shell.exe	347
PID 2036 wrote to memory of 4336	2036	Shell.exe	348
PID 2036 wrote to memory of 4336	2036	Shell.exe	348
PID 2036 wrote to memory of 4336	2036	Shell.exe	348
PID 1216 wrote to memory of 1028	1216	winlogon.exe	349
PID 1216 wrote to memory of 1028	1216	winlogon.exe	349
PID 1216 wrote to memory of 1028	1216	winlogon.exe	349
PID 1216 wrote to memory of 4032	1216	winlogon.exe	350
PID 1216 wrote to memory of 4032	1216	winlogon.exe	350
PID 1216 wrote to memory of 4032	1216	winlogon.exe	350
PID 2260 wrote to memory of 4508	2260	cute.exe	351
PID 2260 wrote to memory of 4508	2260	cute.exe	351
PID 2260 wrote to memory of 4508	2260	cute.exe	351
PID 2260 wrote to memory of 4576	2260	cute.exe	352
PID 2260 wrote to memory of 4576	2260	cute.exe	352
PID 2260 wrote to memory of 4576	2260	cute.exe	352
PID 2036 wrote to memory of 3872	2036	Shell.exe	356
PID 2036 wrote to memory of 3872	2036	Shell.exe	356
PID 2036 wrote to memory of 3872	2036	Shell.exe	356
PID 2036 wrote to memory of 2332	2036	Shell.exe	358
PID 2036 wrote to memory of 2332	2036	Shell.exe	358
PID 2036 wrote to memory of 2332	2036	Shell.exe	358
PID 2260 wrote to memory of 1536	2260	cute.exe	362
PID 2260 wrote to memory of 1536	2260	cute.exe	362
PID 2260 wrote to memory of 1536	2260	cute.exe	362
PID 1216 wrote to memory of 4464	1216	winlogon.exe	363

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	32a27ccd8f957c5124a1b14332a74d20N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	32a27ccd8f957c5124a1b14332a74d20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe

C:\Users\Admin\AppData\Local\Temp\32a27ccd8f957c5124a1b14332a74d20N.exe
"C:\Users\Admin\AppData\Local\Temp\32a27ccd8f957c5124a1b14332a74d20N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3076
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 516
    3⤵
    - Program crash
    PID:1624
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4476
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 536
        5⤵
        Program crash
        
        PID:3480
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 488
        7⤵
        Program crash
        
        PID:3232
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 508
        9⤵
        Program crash
        
        PID:3244
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4708
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 508
        9⤵
        Program crash
        
        PID:4512
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:512
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 488
        7⤵
        Program crash
        
        PID:4632
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 512
        9⤵
        Program crash
        
        PID:1988
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 508
        9⤵
        Program crash
        
        PID:4088
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3928
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2460
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 488
        5⤵
        Program crash
        
        PID:4592
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 512
        7⤵
        Program crash
        
        PID:4384
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 488
        9⤵
        Program crash
        
        PID:3780
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 488
        9⤵
        Program crash
        
        PID:2720
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3144
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 508
        7⤵
        Program crash
        
        PID:452
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 496
        9⤵
        Program crash
        
        PID:1392
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 496
        9⤵
        Program crash
        
        PID:4948
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4936
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1792
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 488
    3⤵
    - Program crash
    PID:1652
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 508
        5⤵
        Program crash
        
        PID:4412
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 488
        7⤵
        Program crash
        
        PID:2124
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 508
        9⤵
        Program crash
        
        PID:4272
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4736
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 508
        9⤵
        Program crash
        
        PID:1904
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 488
        7⤵
        Program crash
        
        PID:1480
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 512
        9⤵
        Program crash
        
        PID:2328
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:224
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3164
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 508
        9⤵
        Program crash
        
        PID:4220
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3244
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 508
        5⤵
        Program crash
        
        PID:2468
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 488
        7⤵
        Program crash
        
        PID:1996
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 508
        9⤵
        Program crash
        
        PID:464
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3148
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 508
        9⤵
        Program crash
        
        PID:1000
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4592
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 488
        7⤵
        Program crash
        
        PID:2440
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 508
        9⤵
        Program crash
        
        PID:2156
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 508
        9⤵
        Program crash
        
        PID:4380
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1480
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 492
    3⤵
    - Program crash
    PID:264
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 508
        5⤵
        Program crash
        
        PID:2188
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 500
        7⤵
        Program crash
        
        PID:3928
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 488
        9⤵
        Program crash
        
        PID:852
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 488
        9⤵
        Program crash
        
        PID:2072
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 492
        7⤵
        Program crash
        
        PID:3468
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 508
        9⤵
        Program crash
        
        PID:3544
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 508
        9⤵
        Program crash
        
        PID:1732
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:3004
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      PID:1788
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 516
    3⤵
    - Program crash
    PID:4804
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 488
        5⤵
        Program crash
        
        PID:4440
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 508
        7⤵
        Program crash
        
        PID:4756
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 500
        9⤵
        Program crash
        
        PID:4376
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 508
        7⤵
        Program crash
        
        PID:528
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 496
        9⤵
        Program crash
        
        PID:4576
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 496
        9⤵
        Program crash
        
        PID:4008
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:1320
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Modifies system executable filetype association
      Adds Run key to start application
      Enumerates connected drives
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Control Panel
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Modifies registry class
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2036
    - - C:\Windows\Tiwi.exe
        
        C:\Windows\Tiwi.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2004
    - - C:\Windows\SysWOW64\IExplorer.exe
        
        C:\Windows\system32\IExplorer.exe
        5⤵
        
        PID:4336
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
        5⤵
        
        PID:2332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 488
        6⤵
        Program crash
        
        PID:4304
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        7⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        7⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4220
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2260
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - System policy modification
    PID:3164
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4068
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      PID:4432
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 488
        5⤵
        Program crash
        
        PID:4764
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1712
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3076
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3212
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1500
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 200
      4⤵
      Program crash
      PID:4888
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2960
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2720
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    PID:1536
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1216
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1028
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    PID:4032
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    PID:4464
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 488
      4⤵
      Program crash
      PID:4092
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2376
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2192
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    PID:1676
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  PID:3080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 488
    3⤵
    - Program crash
    PID:3604
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5092
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:4592
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3476 -ip 3476
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4476 -ip 4476
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1644 -ip 1644
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4808 -ip 4808
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4708 -ip 4708
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2156 -ip 2156
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2004 -ip 2004
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1736 -ip 1736
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 512 -ip 512
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1248 -ip 1248
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2648 -ip 2648
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4880 -ip 4880
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1472 -ip 1472
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2244 -ip 2244
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3928 -ip 3928
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2460 -ip 2460
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2188 -ip 2188
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4832 -ip 4832
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3128 -ip 3128
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1616 -ip 1616
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 376 -ip 376
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1416 -ip 1416
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1676 -ip 1676
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3144 -ip 3144
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2940 -ip 2940
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4408 -ip 4408
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2124 -ip 2124
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1564 -ip 1564
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4628 -ip 4628
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4936 -ip 4936
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1472 -ip 1472
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3736 -ip 3736
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3140 -ip 3140
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1488 -ip 1488
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2660 -ip 2660
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4736 -ip 4736
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4904 -ip 4904
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3572 -ip 3572
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1808 -ip 1808
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2636 -ip 2636
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4224 -ip 4224
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2348 -ip 2348
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 224 -ip 224
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3164 -ip 3164
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2708 -ip 2708
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3244 -ip 3244
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2720 -ip 2720
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3440 -ip 3440
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4436 -ip 4436
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3968 -ip 3968
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3724 -ip 3724
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3148 -ip 3148
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2940 -ip 2940
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4592 -ip 4592
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2124 -ip 2124
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3496 -ip 3496
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1668 -ip 1668
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2328 -ip 2328
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 884 -ip 884
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4576 -ip 4576
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 400 -ip 400
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1480 -ip 1480
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1704 -ip 1704
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5028 -ip 5028
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 228 -ip 228
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2192 -ip 2192
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4868 -ip 4868
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1500 -ip 1500
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5092 -ip 5092
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1200 -ip 1200
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3708 -ip 3708
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2424 -ip 2424
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1028 -ip 1028
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4224 -ip 4224
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2952 -ip 2952
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4720 -ip 4720
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2632 -ip 2632
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3004 -ip 3004
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 464 -ip 464
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3568 -ip 3568
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2940 -ip 2940
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1788 -ip 1788
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3080 -ip 3080
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1568 -ip 1568
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1396 -ip 1396
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1540 -ip 1540
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2664 -ip 2664
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4412 -ip 4412
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 400 -ip 400
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1564 -ip 1564
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2556 -ip 2556
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3004 -ip 3004
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1320 -ip 1320
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3080 -ip 3080
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4576 -ip 4576
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2332 -ip 2332
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1668 -ip 1668
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 872 -ip 872
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
0355f7a03381a2d951165cd74e5238e3

SHA1
e30cac6555791a40a4651db5839774f20996eeb4

SHA256
e9f8793a48340c794e1470a0740f91f792a30e5d07b6ad7d5bdf4570927666cb

SHA512
22bdbd160bd67284bbc8e4b94f99adb64aeea91c22f5838245c3bf6768296cd427fac40e398c0f6fa719da6092a0eb2f310329e0934797fc7deaf62f53b56b9e

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
190KB

MD5
1c638bc39513118363c7604388a91e7c

SHA1
5776fd5df3ca6e276c2cb6040aa16208d37eccc7

SHA256
6fe6722d99e6e92c53c37b8b47ea6117d0c368f0178ab4bb82486bab8a199571

SHA512
ecbcc74c633f0aac770b21c9b546860a056fc7b34605a8fcee30c13a12b0e2b57d87e324b7ddf600214e0904e511804b8c5848b59e6e0356ad09991b63d15c81

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
190KB

MD5
8019694b44e7b7374d5f74574aa2fa81

SHA1
e7c054a3f58e21b428e3dd2681e63695d15c5384

SHA256
eaa7cff9ef5cbda476f4370f69953f3935a4824a12d3bbbdbcc34d23b8355d72

SHA512
e3f808911415004afbb6fa6c017434903fa79d2654082926391321eb45be773889ce4b3ceff8785039b65139761604536191b0e0bba3e604a56a1b38e328da15

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
190KB

MD5
32a27ccd8f957c5124a1b14332a74d20

SHA1
5efe4f64e26b616822c6eb2e61f0790fd753068c

SHA256
ce5cc4257768b68406ea4969fb5e2b6aac5cc269e2df34213d5e7f8b2d8d9733

SHA512
5a0ad8a5e66329a0fc1809c9ed8aa7251a27a91baeb4cfc6f88ba3ca98e1243eb0e0c3e63454b78f391f9f1b977323a47c85d9407fb174b76d3e4e3adb5e3595

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
190KB

MD5
76d829cd662ff5dc1f0ea2ec2f581f3a

SHA1
2e1af9ab43e9d8b2a13c41e1e395831c9b5f9b8f

SHA256
aefd40eec3feccdeaa306db2d2214febc50a185a90379f36f5a67993e3ce2343

SHA512
36fc45d8a836af6bedc9cfeb38c7c1a33f64fcf76beb00234aaae70b97ae220b4e23bcbbbfde94f275e206f8036bcacbcf5e88eed32c33cde7ace3313e4af5d7

Download Submit
C:\Windows\tiwi.exe

Filesize
190KB

MD5
64d1127bbf69eb8fa56c7d76a4e435fb

SHA1
528f25bba4f4efa8f47aa653db0d6a1d70cde0d5

SHA256
1d1ec86bad438849442ed07c91e08f77a64af4d1214e3cf984849c08cce63d90

SHA512
c8b00511443273f4467b6be59ca61e06c24e1e429c2a451c82e03c399bd86a97b03a8a58fb0e12d9cd61682b97ed57358519d4a45e52021ddd1bf03c385f1017

Download Submit
C:\Windows\tiwi.exe

Filesize
190KB

MD5
183ca2c506840a498139f47499ace2ed

SHA1
8393e07cc9257cc6eec030e20fd89ca5885505bc

SHA256
e65b5d2b0140ec1a480754722984824dd2fa39fd552ec1594a45019db3361805

SHA512
d040eb6b200ca646e0ab3c3a0b8de8dfdf43db8d71289301d332efb6f1194e11d530389dbce8abb6a1246896e59b245698fa824e926d4c4ba9dece16e196ca98

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
memory/224-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/376-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download