d2a62ecb1dedb42307ae5728e7f02ba124094c722ab4dda4074980b419301d87

Analysis

max time kernel
37s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b63a7ad30d6de52b5f53c5717f82d56.exe
Size

166KB
MD5

2b63a7ad30d6de52b5f53c5717f82d56
SHA1

d97f132bfe9738f43b79eb9cf8b9243dab27e5ce
SHA256

d2a62ecb1dedb42307ae5728e7f02ba124094c722ab4dda4074980b419301d87
SHA512

0eab90f83dd019724db0d46b47f6cc8f44efef4bc61e5e5e51ef96d4314fd066aa3a536a420ef1dd3f5da70591f5a7a0444560857a5061b7b885ad0644bda85f
SSDEEP

3072:mDskFLzTz69/4LJccv5tHXgoYktmBHALhhKbaynAXH+A+Cr+bjWnnq9b2xawZq29:mQk5zTz69QLJccv5tHXgoYktmBHALhhZ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2244	Shell.exe
2376	Shell.exe
2360	Shell.exe
2824	Shell.exe
2852	Shell.exe
2720	Shell.exe
3036	Shell.exe
2576	Shell.exe
2812	Shell.exe
2604	Shell.exe
2980	Shell.exe
2564	Shell.exe
2612	Shell.exe
2688	Shell.exe
1856	Shell.exe
2436	Shell.exe
2548	Shell.exe
1684	Shell.exe
2920	Shell.exe
2940	Shell.exe
2972	Shell.exe
2976	Shell.exe
2968	Shell.exe
3000	Shell.exe
1920	Shell.exe
2756	Shell.exe
2668	Shell.exe
3012	Shell.exe
1540	Shell.exe
560	Shell.exe
1916	Shell.exe
1748	Shell.exe
1784	Shell.exe
1568	Shell.exe
2156	Shell.exe
2120	Shell.exe
392	Shell.exe
820	Shell.exe
1584	Shell.exe
1624	Shell.exe
2164	Shell.exe
1632	Shell.exe
1848	Shell.exe
2792	Shell.exe
2636	Shell.exe
528	Shell.exe
324	Shell.exe
476	Shell.exe
976	Shell.exe
864	Shell.exe
304	Shell.exe
1480	Shell.exe
1484	Shell.exe
564	Shell.exe
1476	Shell.exe
2028	Shell.exe
2896	Shell.exe
2780	Shell.exe
2880	Shell.exe
1648	Shell.exe
1640	Shell.exe
612	Shell.exe
1416	Shell.exe
1252	Shell.exe

Loads dropped DLL 64 IoCs

pid	Process
2488	2b63a7ad30d6de52b5f53c5717f82d56.exe
2488	2b63a7ad30d6de52b5f53c5717f82d56.exe
2244	Shell.exe
2244	Shell.exe
2376	Shell.exe
2376	Shell.exe
2360	Shell.exe
2360	Shell.exe
2824	Shell.exe
2824	Shell.exe
2852	Shell.exe
2852	Shell.exe
2720	Shell.exe
2720	Shell.exe
3036	Shell.exe
3036	Shell.exe
2576	Shell.exe
2576	Shell.exe
2812	Shell.exe
2812	Shell.exe
2604	Shell.exe
2604	Shell.exe
2980	Shell.exe
2980	Shell.exe
2564	Shell.exe
2564	Shell.exe
2612	Shell.exe
2612	Shell.exe
2688	Shell.exe
2688	Shell.exe
1856	Shell.exe
1856	Shell.exe
2436	Shell.exe
2436	Shell.exe
2548	Shell.exe
2548	Shell.exe
1684	Shell.exe
1684	Shell.exe
2920	Shell.exe
2920	Shell.exe
2940	Shell.exe
2940	Shell.exe
2972	Shell.exe
2972	Shell.exe
2976	Shell.exe
2976	Shell.exe
2968	Shell.exe
2968	Shell.exe
3000	Shell.exe
3000	Shell.exe
1920	Shell.exe
1920	Shell.exe
2756	Shell.exe
2756	Shell.exe
2668	Shell.exe
2668	Shell.exe
3012	Shell.exe
3012	Shell.exe
1540	Shell.exe
1540	Shell.exe
560	Shell.exe
560	Shell.exe
1916	Shell.exe
1916	Shell.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	WerFault.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Shell.exe = "C:\\Windows\\system32\\Shell.exe"	Shell.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Deleteme.bat	WerFault.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\Shell.exe	Shell.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
6732	2980	WerFault.exe	232
6724	2612	WerFault.exe	230
6700	2564	WerFault.exe	231
6772	2688	WerFault.exe	229
6788	2436	WerFault.exe	227
6848	1856	WerFault.exe	228
6940	1684	WerFault.exe	225
6920	2548	WerFault.exe	226
7024	2920	WerFault.exe	224
7044	2940	WerFault.exe	223
7052	2972	WerFault.exe	222
7064	2976	WerFault.exe	221
7120	1540	WerFault.exe	20
7128	1920	WerFault.exe	18
7112	2668	WerFault.exe	220
7104	2968	WerFault.exe	16
7160	560	WerFault.exe	218
6112	3012	WerFault.exe	219
7152	3000	WerFault.exe	19
6492	2756	WerFault.exe	17
2720	1748	WerFault.exe	21
6612	1916	WerFault.exe	217
6676	1568	WerFault.exe	22
6688	2156	WerFault.exe	23
6656	1784	WerFault.exe	216
6752	392	WerFault.exe	24
6784	820	WerFault.exe	214
6876	2120	WerFault.exe	215
6960	1584	WerFault.exe	25
7004	2164	WerFault.exe	212
6532	2792	WerFault.exe	27
6508	1624	WerFault.exe	213
7060	2636	WerFault.exe	28
7148	1848	WerFault.exe	211
6860	1632	WerFault.exe	26
7220	528	WerFault.exe	30
7228	324	WerFault.exe	29
7252	476	WerFault.exe	210
7280	864	WerFault.exe	209
7352	976	WerFault.exe	31
7360	304	WerFault.exe	32
7380	1484	WerFault.exe	35
7388	1480	WerFault.exe	208
7412	1476	WerFault.exe	33
7436	564	WerFault.exe	34
7464	2028	WerFault.exe	36
7528	2780	WerFault.exe	206
7520	2896	WerFault.exe	207
7544	1648	WerFault.exe	38
7612	612	WerFault.exe	39
7668	1524	WerFault.exe	42
7652	1380	WerFault.exe	45
7620	2880	WerFault.exe	37
7628	1640	WerFault.exe	40
7716	1376	WerFault.exe	204
7744	1416	WerFault.exe	44
7764	1716	WerFault.exe	46
7756	852	WerFault.exe	205
7780	1252	WerFault.exe	41
7772	1752	WerFault.exe	203
7796	1692	WerFault.exe	202
7804	1700	WerFault.exe	47
7820	2664	WerFault.exe	49
7836	1164	WerFault.exe	48

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	2b63a7ad30d6de52b5f53c5717f82d56.exe
2244	Shell.exe
2376	Shell.exe
2360	Shell.exe
2824	Shell.exe
2852	Shell.exe
2720	Shell.exe
3036	Shell.exe
2576	Shell.exe
2812	Shell.exe
2604	Shell.exe
2980	Shell.exe
2564	Shell.exe
2612	Shell.exe
2688	Shell.exe
1856	Shell.exe
2436	Shell.exe
2548	Shell.exe
1684	Shell.exe
2920	Shell.exe
2940	Shell.exe
2972	Shell.exe
2976	Shell.exe
2968	Shell.exe
3000	Shell.exe
1920	Shell.exe
2756	Shell.exe
2668	Shell.exe
3012	Shell.exe
1540	Shell.exe
560	Shell.exe
1916	Shell.exe
1748	Shell.exe
1784	Shell.exe
1568	Shell.exe
2156	Shell.exe
2120	Shell.exe
392	Shell.exe
820	Shell.exe
1584	Shell.exe
1624	Shell.exe
2164	Shell.exe
1632	Shell.exe
1848	Shell.exe
2792	Shell.exe
2636	Shell.exe
528	Shell.exe
324	Shell.exe
476	Shell.exe
976	Shell.exe
864	Shell.exe
304	Shell.exe
1480	Shell.exe
1484	Shell.exe
564	Shell.exe
1476	Shell.exe
2028	Shell.exe
2896	Shell.exe
2780	Shell.exe
2880	Shell.exe
1648	Shell.exe
1640	Shell.exe
612	Shell.exe
1416	Shell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2244	2488	2b63a7ad30d6de52b5f53c5717f82d56.exe	240
PID 2488 wrote to memory of 2244	2488	2b63a7ad30d6de52b5f53c5717f82d56.exe	240
PID 2488 wrote to memory of 2244	2488	2b63a7ad30d6de52b5f53c5717f82d56.exe	240
PID 2488 wrote to memory of 2244	2488	2b63a7ad30d6de52b5f53c5717f82d56.exe	240
PID 2244 wrote to memory of 2376	2244	Shell.exe	239
PID 2244 wrote to memory of 2376	2244	Shell.exe	239
PID 2244 wrote to memory of 2376	2244	Shell.exe	239
PID 2244 wrote to memory of 2376	2244	Shell.exe	239
PID 2376 wrote to memory of 2360	2376	Shell.exe	14
PID 2376 wrote to memory of 2360	2376	Shell.exe	14
PID 2376 wrote to memory of 2360	2376	Shell.exe	14
PID 2376 wrote to memory of 2360	2376	Shell.exe	14
PID 2360 wrote to memory of 2824	2360	Shell.exe	238
PID 2360 wrote to memory of 2824	2360	Shell.exe	238
PID 2360 wrote to memory of 2824	2360	Shell.exe	238
PID 2360 wrote to memory of 2824	2360	Shell.exe	238
PID 2824 wrote to memory of 2852	2824	Shell.exe	237
PID 2824 wrote to memory of 2852	2824	Shell.exe	237
PID 2824 wrote to memory of 2852	2824	Shell.exe	237
PID 2824 wrote to memory of 2852	2824	Shell.exe	237
PID 2852 wrote to memory of 2720	2852	Shell.exe	236
PID 2852 wrote to memory of 2720	2852	Shell.exe	236
PID 2852 wrote to memory of 2720	2852	Shell.exe	236
PID 2852 wrote to memory of 2720	2852	Shell.exe	236
PID 2720 wrote to memory of 3036	2720	Shell.exe	235
PID 2720 wrote to memory of 3036	2720	Shell.exe	235
PID 2720 wrote to memory of 3036	2720	Shell.exe	235
PID 2720 wrote to memory of 3036	2720	Shell.exe	235
PID 3036 wrote to memory of 2576	3036	Shell.exe	15
PID 3036 wrote to memory of 2576	3036	Shell.exe	15
PID 3036 wrote to memory of 2576	3036	Shell.exe	15
PID 3036 wrote to memory of 2576	3036	Shell.exe	15
PID 2576 wrote to memory of 2812	2576	Shell.exe	234
PID 2576 wrote to memory of 2812	2576	Shell.exe	234
PID 2576 wrote to memory of 2812	2576	Shell.exe	234
PID 2576 wrote to memory of 2812	2576	Shell.exe	234
PID 2812 wrote to memory of 2604	2812	Shell.exe	233
PID 2812 wrote to memory of 2604	2812	Shell.exe	233
PID 2812 wrote to memory of 2604	2812	Shell.exe	233
PID 2812 wrote to memory of 2604	2812	Shell.exe	233
PID 2604 wrote to memory of 2980	2604	Shell.exe	232
PID 2604 wrote to memory of 2980	2604	Shell.exe	232
PID 2604 wrote to memory of 2980	2604	Shell.exe	232
PID 2604 wrote to memory of 2980	2604	Shell.exe	232
PID 2980 wrote to memory of 2564	2980	Shell.exe	231
PID 2980 wrote to memory of 2564	2980	Shell.exe	231
PID 2980 wrote to memory of 2564	2980	Shell.exe	231
PID 2980 wrote to memory of 2564	2980	Shell.exe	231
PID 2564 wrote to memory of 2612	2564	Shell.exe	230
PID 2564 wrote to memory of 2612	2564	Shell.exe	230
PID 2564 wrote to memory of 2612	2564	Shell.exe	230
PID 2564 wrote to memory of 2612	2564	Shell.exe	230
PID 2612 wrote to memory of 2688	2612	Shell.exe	229
PID 2612 wrote to memory of 2688	2612	Shell.exe	229
PID 2612 wrote to memory of 2688	2612	Shell.exe	229
PID 2612 wrote to memory of 2688	2612	Shell.exe	229
PID 2688 wrote to memory of 1856	2688	Shell.exe	228
PID 2688 wrote to memory of 1856	2688	Shell.exe	228
PID 2688 wrote to memory of 1856	2688	Shell.exe	228
PID 2688 wrote to memory of 1856	2688	Shell.exe	228
PID 1856 wrote to memory of 2436	1856	Shell.exe	227
PID 1856 wrote to memory of 2436	1856	Shell.exe	227
PID 1856 wrote to memory of 2436	1856	Shell.exe	227
PID 1856 wrote to memory of 2436	1856	Shell.exe	227

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:8368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:8324

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:8308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:8356

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2968
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 128
    3⤵
    - Program crash
    PID:7152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 128
  2⤵
  - Program crash
  PID:7104

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2756
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 128
    3⤵
    - Program crash
    PID:7112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 128
  2⤵
  - Program crash
  PID:6492

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 128
  2⤵
  - Program crash
  PID:7128

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1540
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 128
    3⤵
    - Program crash
    PID:7160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 128
  2⤵
  - Program crash
  PID:7120

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1748
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 128
    3⤵
    - Program crash
    PID:6656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 128
  2⤵
  - Program crash
  PID:2720

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1568
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 128
      4⤵
      Program crash
      PID:6876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 128
    3⤵
    - Program crash
    PID:6688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 128
  2⤵
  - Program crash
  PID:6676

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:392
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 128
    3⤵
    - Program crash
    PID:6784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 128
  2⤵
  - Program crash
  PID:6752

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1584
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 128
    3⤵
    - Program crash
    PID:6508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 128
  2⤵
  - Program crash
  PID:6960

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1632
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 128
    3⤵
    - Program crash
    PID:7148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 128
  2⤵
  - Program crash
  PID:6860

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2792
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 128
      4⤵
      Program crash
      PID:7220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 128
    3⤵
    - Program crash
    PID:7060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 128
  2⤵
  - Program crash
  PID:6532

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:324
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 128
    3⤵
    - Program crash
    PID:7252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 128
  2⤵
  - Program crash
  PID:7228

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:976
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 128
    3⤵
    - Program crash
    PID:7280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 128
  2⤵
  - Program crash
  PID:7352

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:304
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 128
    3⤵
    - Program crash
    PID:7388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 128
  2⤵
  - Program crash
  PID:7360

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1476
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 128
      4⤵
      Program crash
      PID:7520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 128
    3⤵
    - Program crash
    PID:7464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 128
  2⤵
  - Program crash
  PID:7412

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 128
  2⤵
  - Program crash
  PID:7436

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 128
  2⤵
  - Program crash
  PID:7380

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2880
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 128
      4⤵
      Program crash
      PID:7628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 128
    3⤵
    - Program crash
    PID:7544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 128
  2⤵
  - Program crash
  PID:7620

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:612
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 128
    3⤵
    - Program crash
    PID:7744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 128
  2⤵
  - Program crash
  PID:7612

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
PID:1252
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 128
    3⤵
    PID:7884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 128
  2⤵
  - Program crash
  PID:7780

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:1524
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 128
    3⤵
    - Program crash
    PID:7756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 128
  2⤵
  - Program crash
  PID:7668

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:1380
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:1376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 128
    3⤵
    - Program crash
    PID:7716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 128
  2⤵
  - Program crash
  PID:7652

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:1716
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 128
    3⤵
    - Program crash
    PID:7796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 128
  2⤵
  - Program crash
  PID:7764

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:1700
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 128
    3⤵
    PID:7912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 128
  2⤵
  - Program crash
  PID:7804

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1164
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 128
    3⤵
    PID:7860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 128
  2⤵
  - Program crash
  PID:7836

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 128
  2⤵
  - Program crash
  PID:7820

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:812
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 128
    3⤵
    PID:7876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 128
  2⤵
  PID:7868

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1472
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:2208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 128
    3⤵
    PID:8052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 128
  2⤵
  PID:8060

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1248
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:2364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 128
    3⤵
    PID:7944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 128
  2⤵
  PID:7920

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2284
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 128
    3⤵
    PID:7936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 128
  2⤵
  PID:7972

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:2036
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 128
    3⤵
    PID:7456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 128
  2⤵
  PID:8044

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:1688
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:816
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Adds Run key to start application
    PID:3064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 128
      4⤵
      PID:8072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 128
    3⤵
    PID:7660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 128
  2⤵
  PID:8080

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:824
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 128
    3⤵
    PID:8096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 128
  2⤵
  PID:8088

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:1912
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 128
    3⤵
    PID:8112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 128
  2⤵
  PID:8104

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1148
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 128
    3⤵
    PID:8128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 128
  2⤵
  PID:8120

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:440
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 128
    3⤵
    PID:8136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 128
  2⤵
  PID:8144

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2320
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 128
    3⤵
    PID:8160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 128
  2⤵
  PID:8152

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1208
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 128
    3⤵
    PID:8188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 128
  2⤵
  PID:8172

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2464
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 128
    3⤵
    PID:6872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 128
  2⤵
  PID:6556

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:1900
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 128
    3⤵
    PID:7016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 128
  2⤵
  PID:6880

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1544
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 128
    3⤵
    PID:7212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 128
  2⤵
  PID:7308

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:1536
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 128
    3⤵
    PID:7480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 128
  2⤵
  PID:7260

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:2396
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 128
    3⤵
    PID:7664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 128
  2⤵
  PID:7512

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1964
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 128
    3⤵
    PID:8004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 128
  2⤵
  PID:7852

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1620
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:756
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 128
      4⤵
      PID:6964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 128
    3⤵
    PID:7896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 128
  2⤵
  PID:8012

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:1360
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 128
    3⤵
    PID:8196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 128
  2⤵
  PID:8204

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:2064
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:1072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 128
    3⤵
    PID:8212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 128
  2⤵
  PID:7932

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1944
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 128
    3⤵
    PID:8220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 128
  2⤵
  PID:8236

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:892
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 128
    3⤵
    PID:8228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 128
  2⤵
  PID:8284

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:1048
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:2400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 128
    3⤵
    PID:8244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 128
  2⤵
  PID:8252

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:620
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 128
    3⤵
    PID:8276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 128
  2⤵
  PID:8268

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:2332
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 128
    3⤵
    PID:8260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 128
  2⤵
  PID:8292

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:2184
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 128
    3⤵
    PID:8348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 128
  2⤵
  PID:8300

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3040
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:2168
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\Deleteme.bat
      4⤵
      PID:8476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:8440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 128
  2⤵
  PID:8400

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1012
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:8556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:8512

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:1680
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:8772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 128
  2⤵
  PID:8576

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3024
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:2380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 128
    3⤵
    PID:8684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 128
  2⤵
  PID:8660

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1924
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:1512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 128
    3⤵
    PID:8676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 128
  2⤵
  PID:8668

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:872
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 128
    3⤵
    PID:8764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 128
  2⤵
  PID:8848

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1088
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:1984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 128
    3⤵
    PID:8872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 128
  2⤵
  PID:8856

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2084
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 128
    3⤵
    PID:8864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 128
  2⤵
  PID:8756

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1864
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 128
    3⤵
    PID:8880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 128
  2⤵
  PID:8840

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2916
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:1696
    - - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        5⤵
        
        PID:1608
      - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        6⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 128
        7⤵
        
        PID:9004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 128
        6⤵
        
        PID:8932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 128
        5⤵
        
        PID:9012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 128
      4⤵
      PID:8948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 128
    3⤵
    PID:8984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 128
  2⤵
  PID:8924

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:2260
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:9124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 128
  2⤵
  PID:8940

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2672
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 128
    3⤵
    PID:8992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 128
  2⤵
  PID:8956

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2712
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:2816
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Adds Run key to start application
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\Deleteme.bat
      4⤵
      PID:9176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:9088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 128
  2⤵
  PID:8916

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2860
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:8488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 128
  2⤵
  PID:280

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2088
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 128
    3⤵
    PID:8524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 128
  2⤵
  PID:8900

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2808
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 128
    3⤵
    PID:8616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:8416

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:3032
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:8640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 128
  2⤵
  PID:552

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:2884
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 128
    3⤵
    PID:8624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 128
  2⤵
  PID:8836

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2584
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:2628
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Adds Run key to start application
    PID:2640
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:1992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 128
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 128
      4⤵
      PID:8468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 128
    3⤵
    PID:1012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 128
  2⤵
  PID:8632

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:2856
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:740
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 128
      4⤵
      PID:8592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 128
    3⤵
    PID:9144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 128
  2⤵
  PID:8508

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:2552
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 128
      4⤵
      PID:9164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 128
    3⤵
    PID:2596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 128
  2⤵
  PID:8412

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2196
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:1968
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Drops file in System32 directory
    PID:1956
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:2220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 128
        5⤵
        
        PID:9136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 128
      4⤵
      PID:9316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 128
    3⤵
    PID:9184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 128
  2⤵
  PID:9172

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:9324

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:2936
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 128
    3⤵
    PID:8484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 128
  2⤵
  PID:9308

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:3084
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 128
    3⤵
    PID:9020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 128
  2⤵
  PID:9456

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:3100
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 128
    3⤵
    PID:9292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:9496

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:3116
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:9408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 128
  2⤵
  PID:9556

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:3140
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:9448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 128
  2⤵
  PID:9548

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:9664

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3156
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Adds Run key to start application
  PID:3164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 128
    3⤵
    PID:9504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:9848

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3172
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:9540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 128
  2⤵
  PID:9856

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:3188
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:3196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 128
    3⤵
    PID:9944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 128
  2⤵
  PID:9864

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3204
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:9628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 128
  2⤵
  PID:9332

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:3220
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Adds Run key to start application
    PID:3236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 128
      4⤵
      PID:9300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:9772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 128
  2⤵
  PID:9276

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:3244
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 128
    3⤵
    PID:9284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:9592

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3260
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3268
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:3276
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:3284
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 128
        5⤵
        
        PID:9908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\Deleteme.bat
      4⤵
      PID:9700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 128
    3⤵
    PID:9340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:9808

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Adds Run key to start application
PID:3292
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:3308
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:3316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 128
        5⤵
        
        PID:9900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 128
      4⤵
      PID:9960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 128
    3⤵
    PID:9888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:9736

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3324
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3332
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:3340
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:3348
    - - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        5⤵
        
        PID:3356
      - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        6⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        7⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        8⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        9⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        10⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        11⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        12⤵
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        13⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        14⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        15⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        16⤵
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        17⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        18⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        19⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        20⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        21⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        22⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        23⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        24⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        25⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        26⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        27⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        28⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        29⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        30⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        31⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        32⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        33⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        34⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        35⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        36⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        37⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        38⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        39⤵
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        40⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        41⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        42⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        43⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        44⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        45⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        46⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        47⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        48⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        49⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        50⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        51⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        52⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        53⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        54⤵
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        55⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        56⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        57⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        58⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        59⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        60⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        61⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        62⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        63⤵
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        64⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        65⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        66⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        67⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        68⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        69⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        70⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 128
        71⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 128
        70⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 128
        69⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 128
        68⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 128
        66⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 128
        64⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 128
        62⤵
        
        PID:13936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 128
        61⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 128
        59⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 128
        58⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 128
        57⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 128
        56⤵
        
        PID:11412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 128
        55⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 128
        54⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 128
        53⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 128
        52⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 128
        51⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 128
        50⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 128
        49⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 128
        48⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 128
        47⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 128
        45⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 128
        43⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 128
        41⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 128
        40⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 128
        39⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 128
        38⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 128
        37⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 128
        35⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 128
        33⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 128
        32⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 128
        31⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 128
        30⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\Deleteme.bat
        29⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 128
        28⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 128
        27⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 128
        26⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 128
        24⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\Deleteme.bat
        23⤵
        Adds Run key to start application
        
        PID:2808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 128
        21⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 128
        19⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\Deleteme.bat
        18⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 128
        17⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 128
        16⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 128
        15⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 128
        14⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 128
        13⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 128
        12⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\Deleteme.bat
        11⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 128
        10⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 128
        9⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 128
        8⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 128
        7⤵
        
        PID:10076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 128
        6⤵
        
        PID:10120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 128
        5⤵
        
        PID:9880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 128
      4⤵
      PID:10104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Deleteme.bat
    3⤵
    PID:10068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 128
  2⤵
  PID:10112

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 128
  2⤵
  PID:8904

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 128
  2⤵
  PID:7828

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:2236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 128
  2⤵
  PID:7704

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 128
  2⤵
  - Program crash
  PID:7772

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 128
  2⤵
  - Program crash
  PID:7528

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 128
  2⤵
  - Program crash
  PID:7004

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 128
  2⤵
  - Program crash
  PID:6612

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 128
  2⤵
  - Program crash
  PID:6112

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 128
  2⤵
  - Program crash
  PID:7064

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 128
  2⤵
  - Program crash
  PID:7052

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 128
  2⤵
  - Program crash
  PID:7044

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 128
  2⤵
  - Program crash
  PID:7024

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 128
  2⤵
  - Program crash
  PID:6940

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 128
  2⤵
  - Program crash
  PID:6920

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 128
  2⤵
  - Program crash
  PID:6788

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 128
  2⤵
  - Program crash
  PID:6848

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 128
  2⤵
  - Program crash
  PID:6772

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 128
  2⤵
  - Program crash
  PID:6724

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 128
  2⤵
  - Program crash
  PID:6700

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 128
  2⤵
  - Program crash
  PID:6732

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:8340

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:8332

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:6560

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:8316

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:8392

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:8380

C:\Users\Admin\AppData\Local\Temp\2b63a7ad30d6de52b5f53c5717f82d56.exe
"C:\Users\Admin\AppData\Local\Temp\2b63a7ad30d6de52b5f53c5717f82d56.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:6568

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3968
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 128
  2⤵
  PID:10624

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:4012
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 128
    3⤵
    PID:12248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 128
  2⤵
  PID:10576

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 128
  2⤵
  PID:12228

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:4060
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:4088
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 128
      4⤵
      PID:13900

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:3380
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3668

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3824
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3828

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3872
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3744
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:3920
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 128
      4⤵
      PID:11648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 128
  2⤵
  PID:9956

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 128
  2⤵
  PID:12744

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:3948
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 128
      4⤵
      PID:10784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 128
  2⤵
  PID:9728

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:4004
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 128
    3⤵
    PID:10964

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
- Drops file in System32 directory
PID:4032
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    - Drops file in System32 directory
    PID:4084
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:2952
    - - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        5⤵
        
        PID:4100
      - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        6⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        7⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        8⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        9⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        10⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        11⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        12⤵
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        13⤵
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        14⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        15⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        16⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        17⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        18⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        19⤵
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        20⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        21⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        22⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        23⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        24⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        25⤵
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        26⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        27⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        28⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        29⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        30⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        31⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        32⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        33⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        34⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        35⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        36⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        37⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        38⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        39⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        40⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        41⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        42⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        43⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        44⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        45⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        46⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        47⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        48⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        49⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        50⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        51⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        52⤵
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        53⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        54⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        55⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        56⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        57⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        58⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        59⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        60⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        61⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        62⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        63⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        64⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        65⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        66⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        67⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        68⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        69⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        70⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        71⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        72⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        73⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        74⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        75⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        76⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        77⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        78⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        79⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        80⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        81⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        82⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        83⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        84⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        85⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        86⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        87⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        88⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        89⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        90⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        91⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        92⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        93⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        94⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        95⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        96⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        97⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        98⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        99⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        100⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        101⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        102⤵
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        103⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        104⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        105⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        106⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        107⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        108⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        109⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        110⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        111⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        112⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        113⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        114⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        115⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        116⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        117⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        118⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        119⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        120⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        121⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        122⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        123⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        124⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        125⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        126⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        127⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        128⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        129⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        130⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        131⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        132⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        133⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        134⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        135⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        136⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        137⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        138⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        139⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        140⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        141⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        142⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        143⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        144⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        145⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        146⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        147⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        148⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        149⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        150⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        151⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        152⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        153⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        154⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        155⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        156⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        157⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        158⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        159⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        160⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        161⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        162⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        163⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        164⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        165⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        166⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        167⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        168⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        169⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        170⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        171⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        172⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        173⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        174⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        175⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        176⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        177⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        178⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        179⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        180⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        181⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        182⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        183⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        184⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        185⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        186⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        187⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        188⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        189⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        190⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        191⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        192⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        193⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        194⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        195⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        196⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        197⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        198⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        199⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        200⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        201⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        202⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        203⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        204⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        205⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        206⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        207⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        208⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        209⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        210⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        211⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        212⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        213⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        214⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        215⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        216⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        217⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        218⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        219⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        220⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        221⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        222⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        223⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        224⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        225⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        226⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        227⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        228⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        229⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        230⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        231⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        232⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        233⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        234⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        235⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        236⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 128
        230⤵
        
        PID:13912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 128
        205⤵
        
        PID:13820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 128
        203⤵
        
        PID:13828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 128
        200⤵
        
        PID:13944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 128
        199⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 128
        183⤵
        
        PID:13696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 128
        171⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 128
        160⤵
        
        PID:12304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 128
        159⤵
        
        PID:13612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 128
        157⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 128
        156⤵
        
        PID:13740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 128
        126⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 128
        106⤵
        
        PID:13920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 128
        105⤵
        
        PID:13836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 128
        104⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 128
        91⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 128
        90⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 128
        86⤵
        
        PID:12336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 128
        85⤵
        
        PID:12720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 128
        83⤵
        
        PID:836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 128
        81⤵
        
        PID:13596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 128
        80⤵
        
        PID:12328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 128
        79⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 128
        78⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 128
        75⤵
        
        PID:13628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 128
        72⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 128
        70⤵
        
        PID:13844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 128
        65⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 128
        58⤵
        
        PID:12376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 128
        56⤵
        
        PID:13768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 128
        54⤵
        
        PID:13960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 128
        50⤵
        
        PID:13952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 128
        47⤵
        
        PID:12624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 128
        41⤵
        
        PID:12948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 128
        37⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 128
        36⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 128
        34⤵
        
        PID:13884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 128
        30⤵
        
        PID:13876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 128
        29⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 128
        28⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 128
        26⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 128
        25⤵
        
        PID:12056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 128
        17⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 128
        14⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 128
        12⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 128
        10⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 128
        9⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 128
        7⤵
        
        PID:12164
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 128
        6⤵
        
        PID:9640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 128
        5⤵
        
        PID:10640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 128
      4⤵
      PID:10940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 128
  2⤵
  PID:10952

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2072

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:2948

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:6024
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:6032
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:6040
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:6048
    - - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        5⤵
        
        PID:6056
      - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        6⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        7⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        8⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        9⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        10⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        11⤵
        
        PID:6104

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:6116
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:6124
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:6132
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:6140

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:5124
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:5148
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:5172
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      Drops file in System32 directory
      PID:5196
    - - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        5⤵
        
        PID:5212
      - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        6⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        7⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        8⤵
        
        PID:5352

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:5720
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Drops file in System32 directory
  PID:6148
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:6156
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:6164
    - - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        5⤵
        
        PID:6172
      - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        6⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        7⤵
        
        PID:6188

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:6196
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:6204
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:6212
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:6220
    - - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        5⤵
        
        PID:6228
      - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        6⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        7⤵
        
        PID:6244

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:6252
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:6260
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:6268
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:6280
    - - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        5⤵
        
        PID:6288
      - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        6⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        7⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        8⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        9⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        10⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        11⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        12⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        13⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        14⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        15⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        16⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        17⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        18⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        19⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        20⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        21⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        22⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        23⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        24⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        25⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        26⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        27⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        28⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        29⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        30⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        31⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 128
        25⤵
        
        PID:12544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6344 -s 128
        13⤵
        
        PID:13928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 128
        9⤵
        
        PID:12992

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:6604
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:6636
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:6644
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:6692

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:6744
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  PID:6796
- - C:\Windows\SysWOW64\Shell.exe
    C:\Windows\system32\Shell.exe
    3⤵
    PID:6808
  - - C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      4⤵
      PID:6824
    - - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        5⤵
        
        PID:6864
      - C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        6⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        7⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        8⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        9⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        10⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        11⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        12⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        13⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        14⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        15⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        16⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        17⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        18⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        19⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        20⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        21⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        22⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        23⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        24⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        25⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        26⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        27⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        28⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        29⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        30⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        31⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        32⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        33⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        34⤵
        
        PID:12612
        
        C:\Windows\SysWOW64\Shell.exe
        
        C:\Windows\system32\Shell.exe
        35⤵
        
        PID:13756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8964 -s 128
        30⤵
        
        PID:13748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7980 -s 128
        27⤵
        
        PID:13868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 128
        25⤵
        
        PID:13732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7288 -s 128
        23⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7244 -s 128
        21⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 128
        12⤵
        
        PID:13852

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:6716

C:\Windows\SysWOW64\Shell.exe
C:\Windows\system32\Shell.exe
1⤵
PID:6708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
102B

MD5
b5bf6633f68d58fe04d9ab5231455608

SHA1
12505b08480f12d2f0a70b60c6dfe7e1a26d39d3

SHA256
01fba57ee163b59b5f13ced03b285cc63caa47db0898aaabebeecde0eec1b339

SHA512
650df06f5f6a2bcb866fa10d7b514dd519dda88e06db490ae4486e5745f2dae0d4de8c3e736459765114841a2476d1e357cefc09e8148df63142b9a161018c8f

Download Submit
\Windows\SysWOW64\Shell.exe

Filesize
166KB

MD5
2b63a7ad30d6de52b5f53c5717f82d56

SHA1
d97f132bfe9738f43b79eb9cf8b9243dab27e5ce

SHA256
d2a62ecb1dedb42307ae5728e7f02ba124094c722ab4dda4074980b419301d87

SHA512
0eab90f83dd019724db0d46b47f6cc8f44efef4bc61e5e5e51ef96d4314fd066aa3a536a420ef1dd3f5da70591f5a7a0444560857a5061b7b885ad0644bda85f

Download Submit
memory/560-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-86-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-90-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download