Analysis
-
max time kernel
97s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 05:24
Behavioral task
behavioral1
Sample
9e6d4dc0b895fdd93824590f24492b60N.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
9e6d4dc0b895fdd93824590f24492b60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
26 signatures
120 seconds
General
-
Target
9e6d4dc0b895fdd93824590f24492b60N.exe
-
Size
218KB
-
MD5
9e6d4dc0b895fdd93824590f24492b60
-
SHA1
a46e18e11c0e6b7c90edcd52c182e7480a67d383
-
SHA256
38a02f4754979140af96c26cb7e5eb36218f60677dfa2f3bbc40ea93ac03ccc7
-
SHA512
344c689924d2d678105156271ec85c7f6a76a1879431b63aa64d51405e7ee0a3c779860d2a23a25d649f69240970005d4143d9a92dc1c50eddff8911aa8eb506
-
SSDEEP
3072:HGBT753Q+RgWgMlIx1ZiXjb6aEF6D0NM9voeLNZ2j8Cg2U:m753RgWg4aAXjb6aEFfooeLNZxCo
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 9e6d4dc0b895fdd93824590f24492b60N.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 9e6d4dc0b895fdd93824590f24492b60N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 9e6d4dc0b895fdd93824590f24492b60N.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 9e6d4dc0b895fdd93824590f24492b60N.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 9e6d4dc0b895fdd93824590f24492b60N.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
pid Process 2004 Tiwi.exe 812 Shell.exe 2124 Shell.exe 596 Shell.exe 1032 Shell.exe 672 Shell.exe 2396 Shell.exe 2340 Shell.exe 1160 Shell.exe 848 Shell.exe 328 Shell.exe 2864 Shell.exe 1832 Shell.exe 2140 Shell.exe 1868 Shell.exe 888 Shell.exe 2608 Shell.exe 2368 Shell.exe 1748 Shell.exe 1788 Shell.exe 3060 Shell.exe 2280 Shell.exe 2944 Shell.exe 1628 Shell.exe 1964 Shell.exe 1956 Shell.exe 2068 Shell.exe 1584 Shell.exe 2736 Shell.exe 2664 Shell.exe 2768 Shell.exe 2716 Shell.exe 2696 Shell.exe 2532 Shell.exe 2680 Shell.exe 2512 Shell.exe 2576 Shell.exe 2932 Shell.exe 2916 Shell.exe 912 Shell.exe 836 Shell.exe 1104 Shell.exe 2852 Shell.exe 3068 Shell.exe 808 Shell.exe 752 Shell.exe 1340 Shell.exe 2392 Shell.exe 1052 Shell.exe 2056 Shell.exe 3024 Shell.exe 972 Shell.exe 940 Shell.exe 3020 Shell.exe 1156 Shell.exe 1348 Shell.exe 1216 Shell.exe 2420 Shell.exe 2236 Shell.exe 1732 Shell.exe 2928 Shell.exe 1704 Shell.exe 2116 Shell.exe 2748 Shell.exe -
Loads dropped DLL 64 IoCs
pid Process 2080 WerFault.exe 2080 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 1272 WerFault.exe 1272 WerFault.exe 560 WerFault.exe 560 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 1044 WerFault.exe 1044 WerFault.exe 1688 WerFault.exe 1688 WerFault.exe 2132 WerFault.exe 2132 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2960 WerFault.exe 2960 WerFault.exe 1680 WerFault.exe 1680 WerFault.exe 1756 WerFault.exe 1756 WerFault.exe 900 WerFault.exe 900 WerFault.exe 2156 WerFault.exe 2156 WerFault.exe 2956 WerFault.exe 2956 WerFault.exe 2260 WerFault.exe 2260 WerFault.exe 768 WerFault.exe 768 WerFault.exe 1816 WerFault.exe 1816 WerFault.exe 2788 WerFault.exe 2788 WerFault.exe 2692 WerFault.exe 2692 WerFault.exe 764 WerFault.exe 764 WerFault.exe 884 WerFault.exe 884 WerFault.exe 1992 WerFault.exe 1992 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2660 WerFault.exe 2660 WerFault.exe 1708 WerFault.exe 1708 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2620 WerFault.exe 2620 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe -
resource yara_rule behavioral1/memory/3064-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00020000000178b0-7.dat upx behavioral1/memory/3064-94-0x00000000028E0000-0x0000000002914000-memory.dmp upx behavioral1/files/0x0006000000017444-98.dat upx behavioral1/files/0x00020000000178b0-101.dat upx behavioral1/memory/812-104-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/672-125-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3064-136-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2004-153-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/812-159-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2124-165-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/596-171-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1032-177-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/672-183-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2396-189-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2340-195-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1160-201-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/848-207-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/328-213-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2864-219-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1832-222-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2140-225-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1868-228-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/888-231-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2608-234-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2368-237-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1748-240-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1788-243-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3060-246-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2768-249-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2280-250-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2944-253-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1628-256-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1964-259-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1956-262-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2068-265-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1584-268-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2916-274-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2736-272-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2664-275-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2768-278-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2716-281-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2696-284-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2532-287-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2680-290-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/752-296-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2512-294-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2576-297-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2932-300-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2916-303-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/912-306-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/836-309-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1104-312-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2852-315-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3068-319-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/808-321-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/752-324-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1340-327-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2392-330-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1052-333-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2056-336-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3024-339-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/972-343-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/940-345-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 9e6d4dc0b895fdd93824590f24492b60N.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\J: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\O: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\P: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\R: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\G: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\I: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\M: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\T: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\Z: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\X: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\B: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\E: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\L: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\N: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\V: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\Y: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\K: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\Q: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\S: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\U: 9e6d4dc0b895fdd93824590f24492b60N.exe File opened (read-only) \??\W: 9e6d4dc0b895fdd93824590f24492b60N.exe -
Modifies WinLogon 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 9e6d4dc0b895fdd93824590f24492b60N.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf 9e6d4dc0b895fdd93824590f24492b60N.exe File opened for modification F:\autorun.inf 9e6d4dc0b895fdd93824590f24492b60N.exe File created C:\autorun.inf 9e6d4dc0b895fdd93824590f24492b60N.exe File opened for modification C:\autorun.inf 9e6d4dc0b895fdd93824590f24492b60N.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell.exe 9e6d4dc0b895fdd93824590f24492b60N.exe File created C:\Windows\SysWOW64\tiwi.scr 9e6d4dc0b895fdd93824590f24492b60N.exe File created C:\Windows\SysWOW64\IExplorer.exe 9e6d4dc0b895fdd93824590f24492b60N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 9e6d4dc0b895fdd93824590f24492b60N.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 9e6d4dc0b895fdd93824590f24492b60N.exe File opened for modification C:\Windows\SysWOW64\shell.exe 9e6d4dc0b895fdd93824590f24492b60N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\tiwi.exe 9e6d4dc0b895fdd93824590f24492b60N.exe File created C:\Windows\tiwi.exe 9e6d4dc0b895fdd93824590f24492b60N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2080 2004 WerFault.exe 30 2220 812 WerFault.exe 32 2572 2124 WerFault.exe 34 1272 596 WerFault.exe 36 560 1032 WerFault.exe 38 1548 672 WerFault.exe 40 2020 2396 WerFault.exe 42 1044 2340 WerFault.exe 44 1688 1160 WerFault.exe 46 2132 848 WerFault.exe 48 2448 328 WerFault.exe 50 2960 2864 WerFault.exe 52 1680 1832 WerFault.exe 54 1756 2140 WerFault.exe 56 900 1868 WerFault.exe 58 2156 888 WerFault.exe 60 2956 2608 WerFault.exe 62 2260 2368 WerFault.exe 64 768 1748 WerFault.exe 66 1816 1788 WerFault.exe 68 2788 3060 WerFault.exe 70 2692 2280 WerFault.exe 72 764 2944 WerFault.exe 74 884 1628 WerFault.exe 76 1992 1964 WerFault.exe 78 2924 1956 WerFault.exe 80 2660 2068 WerFault.exe 82 1708 1584 WerFault.exe 84 2840 2736 WerFault.exe 86 2620 2664 WerFault.exe 88 2972 2768 WerFault.exe 90 2688 2716 WerFault.exe 92 1724 2696 WerFault.exe 94 2700 2532 WerFault.exe 96 2624 2680 WerFault.exe 98 2540 2512 WerFault.exe 100 2900 2576 WerFault.exe 102 2344 2932 WerFault.exe 104 276 2916 WerFault.exe 106 1328 912 WerFault.exe 108 1300 836 WerFault.exe 110 2848 1104 WerFault.exe 112 3056 2852 WerFault.exe 114 2808 3068 WerFault.exe 116 2152 808 WerFault.exe 118 1600 752 WerFault.exe 120 1504 1340 WerFault.exe 122 1420 2392 WerFault.exe 124 1716 1052 WerFault.exe 126 2952 2056 WerFault.exe 128 1980 3024 WerFault.exe 130 780 972 WerFault.exe 132 1808 940 WerFault.exe 134 2832 3020 WerFault.exe 136 1536 1156 WerFault.exe 138 2028 1348 WerFault.exe 140 1576 1216 WerFault.exe 142 1936 2420 WerFault.exe 144 2104 2236 WerFault.exe 146 876 1732 WerFault.exe 148 1608 2928 WerFault.exe 150 2616 1704 WerFault.exe 152 2672 2116 WerFault.exe 154 2548 2748 WerFault.exe 156 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies Control Panel 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\SwapMouseButtons = "1" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\ 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s2359 = "Tiwi" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\s1159 = "Tiwi" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\Mouse\ 9e6d4dc0b895fdd93824590f24492b60N.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\ 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 9e6d4dc0b895fdd93824590f24492b60N.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 9e6d4dc0b895fdd93824590f24492b60N.exe -
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 9e6d4dc0b895fdd93824590f24492b60N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 9e6d4dc0b895fdd93824590f24492b60N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3064 9e6d4dc0b895fdd93824590f24492b60N.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3064 9e6d4dc0b895fdd93824590f24492b60N.exe 2004 Tiwi.exe 812 Shell.exe 2124 Shell.exe 596 Shell.exe 1032 Shell.exe 672 Shell.exe 2396 Shell.exe 2340 Shell.exe 1160 Shell.exe 848 Shell.exe 328 Shell.exe 2864 Shell.exe 1832 Shell.exe 2140 Shell.exe 1868 Shell.exe 888 Shell.exe 2608 Shell.exe 2368 Shell.exe 1748 Shell.exe 1788 Shell.exe 3060 Shell.exe 2280 Shell.exe 2944 Shell.exe 1628 Shell.exe 1964 Shell.exe 1956 Shell.exe 2068 Shell.exe 1584 Shell.exe 2736 Shell.exe 2664 Shell.exe 2768 Shell.exe 2716 Shell.exe 2696 Shell.exe 2532 Shell.exe 2680 Shell.exe 2512 Shell.exe 2576 Shell.exe 2932 Shell.exe 2916 Shell.exe 912 Shell.exe 836 Shell.exe 1104 Shell.exe 2852 Shell.exe 3068 Shell.exe 808 Shell.exe 752 Shell.exe 1340 Shell.exe 2392 Shell.exe 1052 Shell.exe 2056 Shell.exe 3024 Shell.exe 972 Shell.exe 940 Shell.exe 3020 Shell.exe 1156 Shell.exe 1348 Shell.exe 1216 Shell.exe 2420 Shell.exe 2236 Shell.exe 1732 Shell.exe 2928 Shell.exe 1704 Shell.exe 2116 Shell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2004 3064 9e6d4dc0b895fdd93824590f24492b60N.exe 30 PID 3064 wrote to memory of 2004 3064 9e6d4dc0b895fdd93824590f24492b60N.exe 30 PID 3064 wrote to memory of 2004 3064 9e6d4dc0b895fdd93824590f24492b60N.exe 30 PID 3064 wrote to memory of 2004 3064 9e6d4dc0b895fdd93824590f24492b60N.exe 30 PID 2004 wrote to memory of 2080 2004 Tiwi.exe 31 PID 2004 wrote to memory of 2080 2004 Tiwi.exe 31 PID 2004 wrote to memory of 2080 2004 Tiwi.exe 31 PID 2004 wrote to memory of 2080 2004 Tiwi.exe 31 PID 812 wrote to memory of 2220 812 Shell.exe 33 PID 812 wrote to memory of 2220 812 Shell.exe 33 PID 812 wrote to memory of 2220 812 Shell.exe 33 PID 812 wrote to memory of 2220 812 Shell.exe 33 PID 2124 wrote to memory of 2572 2124 Shell.exe 35 PID 2124 wrote to memory of 2572 2124 Shell.exe 35 PID 2124 wrote to memory of 2572 2124 Shell.exe 35 PID 2124 wrote to memory of 2572 2124 Shell.exe 35 PID 596 wrote to memory of 1272 596 Shell.exe 37 PID 596 wrote to memory of 1272 596 Shell.exe 37 PID 596 wrote to memory of 1272 596 Shell.exe 37 PID 596 wrote to memory of 1272 596 Shell.exe 37 PID 1032 wrote to memory of 560 1032 Shell.exe 39 PID 1032 wrote to memory of 560 1032 Shell.exe 39 PID 1032 wrote to memory of 560 1032 Shell.exe 39 PID 1032 wrote to memory of 560 1032 Shell.exe 39 PID 672 wrote to memory of 1548 672 Shell.exe 41 PID 672 wrote to memory of 1548 672 Shell.exe 41 PID 672 wrote to memory of 1548 672 Shell.exe 41 PID 672 wrote to memory of 1548 672 Shell.exe 41 PID 2396 wrote to memory of 2020 2396 Shell.exe 43 PID 2396 wrote to memory of 2020 2396 Shell.exe 43 PID 2396 wrote to memory of 2020 2396 Shell.exe 43 PID 2396 wrote to memory of 2020 2396 Shell.exe 43 PID 2340 wrote to memory of 1044 2340 Shell.exe 45 PID 2340 wrote to memory of 1044 2340 Shell.exe 45 PID 2340 wrote to memory of 1044 2340 Shell.exe 45 PID 2340 wrote to memory of 1044 2340 Shell.exe 45 PID 1160 wrote to memory of 1688 1160 Shell.exe 47 PID 1160 wrote to memory of 1688 1160 Shell.exe 47 PID 1160 wrote to memory of 1688 1160 Shell.exe 47 PID 1160 wrote to memory of 1688 1160 Shell.exe 47 PID 848 wrote to memory of 2132 848 Shell.exe 49 PID 848 wrote to memory of 2132 848 Shell.exe 49 PID 848 wrote to memory of 2132 848 Shell.exe 49 PID 848 wrote to memory of 2132 848 Shell.exe 49 PID 328 wrote to memory of 2448 328 Shell.exe 51 PID 328 wrote to memory of 2448 328 Shell.exe 51 PID 328 wrote to memory of 2448 328 Shell.exe 51 PID 328 wrote to memory of 2448 328 Shell.exe 51 PID 2864 wrote to memory of 2960 2864 Shell.exe 53 PID 2864 wrote to memory of 2960 2864 Shell.exe 53 PID 2864 wrote to memory of 2960 2864 Shell.exe 53 PID 2864 wrote to memory of 2960 2864 Shell.exe 53 PID 1832 wrote to memory of 1680 1832 Shell.exe 55 PID 1832 wrote to memory of 1680 1832 Shell.exe 55 PID 1832 wrote to memory of 1680 1832 Shell.exe 55 PID 1832 wrote to memory of 1680 1832 Shell.exe 55 PID 2140 wrote to memory of 1756 2140 Shell.exe 57 PID 2140 wrote to memory of 1756 2140 Shell.exe 57 PID 2140 wrote to memory of 1756 2140 Shell.exe 57 PID 2140 wrote to memory of 1756 2140 Shell.exe 57 PID 1868 wrote to memory of 900 1868 Shell.exe 59 PID 1868 wrote to memory of 900 1868 Shell.exe 59 PID 1868 wrote to memory of 900 1868 Shell.exe 59 PID 1868 wrote to memory of 900 1868 Shell.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 9e6d4dc0b895fdd93824590f24492b60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 9e6d4dc0b895fdd93824590f24492b60N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e6d4dc0b895fdd93824590f24492b60N.exe"C:\Users\Admin\AppData\Local\Temp\9e6d4dc0b895fdd93824590f24492b60N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3064 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 2163⤵
- Loads dropped DLL
- Program crash
PID:2080 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 2365⤵
- Loads dropped DLL
- Program crash
PID:2220 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 2567⤵
- Loads dropped DLL
- Program crash
PID:2572 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 2769⤵
- Loads dropped DLL
- Program crash
PID:1272 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 29611⤵
- Loads dropped DLL
- Program crash
PID:560 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 31613⤵
- Loads dropped DLL
- Program crash
PID:1548 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 33615⤵
- Loads dropped DLL
- Program crash
PID:2020 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 35617⤵
- Loads dropped DLL
- Program crash
PID:1044 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 37619⤵
- Loads dropped DLL
- Program crash
PID:1688 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 39621⤵
- Loads dropped DLL
- Program crash
PID:2132 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 41623⤵
- Loads dropped DLL
- Program crash
PID:2448 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 43625⤵
- Loads dropped DLL
- Program crash
PID:2960 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 45627⤵
- Loads dropped DLL
- Program crash
PID:1680 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 47629⤵
- Loads dropped DLL
- Program crash
PID:1756 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 49631⤵
- Loads dropped DLL
- Program crash
PID:900 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 51633⤵
- Loads dropped DLL
- Program crash
PID:2156 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 53635⤵
- Loads dropped DLL
- Program crash
PID:2956 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 55637⤵
- Loads dropped DLL
- Program crash
PID:2260 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 57639⤵
- Loads dropped DLL
- Program crash
PID:768 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 59641⤵
- Loads dropped DLL
- Program crash
PID:1816 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 61643⤵
- Loads dropped DLL
- Program crash
PID:2788 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"44⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 63645⤵
- Loads dropped DLL
- Program crash
PID:2692 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"46⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 65647⤵
- Loads dropped DLL
- Program crash
PID:764 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"48⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 67649⤵
- Loads dropped DLL
- Program crash
PID:884 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 69651⤵
- Loads dropped DLL
- Program crash
PID:1992 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"52⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 71653⤵
- Loads dropped DLL
- Program crash
PID:2924 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"54⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 73655⤵
- Loads dropped DLL
- Program crash
PID:2660 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"56⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 75657⤵
- Loads dropped DLL
- Program crash
PID:1708 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"58⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 77659⤵
- Loads dropped DLL
- Program crash
PID:2840 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"60⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 79661⤵
- Loads dropped DLL
- Program crash
PID:2620 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"62⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 81663⤵
- Loads dropped DLL
- Program crash
PID:2972 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"64⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 83665⤵
- Loads dropped DLL
- Program crash
PID:2688 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"66⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 85667⤵
- Program crash
PID:1724 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"68⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2532 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 87669⤵
- Program crash
PID:2700 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"70⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 89671⤵
- Program crash
PID:2624 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 91673⤵
- Program crash
PID:2540 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"74⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 93675⤵
- Program crash
PID:2900 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"76⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 95677⤵
- Program crash
PID:2344 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"78⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 97679⤵
- Program crash
PID:276 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"80⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 99681⤵
- Program crash
PID:1328 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"82⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 101683⤵
- Program crash
PID:1300 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"84⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 104085⤵
- Program crash
PID:2848 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"86⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 106087⤵
- Program crash
PID:3056 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"88⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 108089⤵
- Program crash
PID:2808 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"90⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 110091⤵
- Program crash
PID:2152 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"92⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 112093⤵
- Program crash
PID:1600 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"94⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 114095⤵
- Program crash
PID:1504 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"96⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 116097⤵
- Program crash
PID:1420 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"98⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 118099⤵
- Program crash
PID:1716 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"100⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1200101⤵
- Program crash
PID:2952 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"102⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1220103⤵
- Program crash
PID:1980 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"104⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1240105⤵
- Program crash
PID:780 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"106⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1260107⤵
- Program crash
PID:1808 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"108⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1280109⤵
- Program crash
PID:2832 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"110⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1300111⤵
- Program crash
PID:1536 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"112⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1320113⤵
- Program crash
PID:2028 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"114⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1340115⤵
- Program crash
PID:1576 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"116⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1360117⤵
- Program crash
PID:1936 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"118⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1380119⤵
- Program crash
PID:2104 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"120⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1400121⤵
- Program crash
PID:876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-