38a02f4754979140af96c26cb7e5eb36218f60677dfa2f3bbc40ea93ac03ccc7

Analysis

max time kernel
119s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e6d4dc0b895fdd93824590f24492b60N.exe
Size

218KB
MD5

9e6d4dc0b895fdd93824590f24492b60
SHA1

a46e18e11c0e6b7c90edcd52c182e7480a67d383
SHA256

38a02f4754979140af96c26cb7e5eb36218f60677dfa2f3bbc40ea93ac03ccc7
SHA512

344c689924d2d678105156271ec85c7f6a76a1879431b63aa64d51405e7ee0a3c779860d2a23a25d649f69240970005d4143d9a92dc1c50eddff8911aa8eb506
SSDEEP

3072:HGBT753Q+RgWgMlIx1ZiXjb6aEF6D0NM9voeLNZ2j8Cg2U:m753RgWg4aAXjb6aEFfooeLNZxCo

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	9e6d4dc0b895fdd93824590f24492b60N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9e6d4dc0b895fdd93824590f24492b60N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9e6d4dc0b895fdd93824590f24492b60N.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	9e6d4dc0b895fdd93824590f24492b60N.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	9e6d4dc0b895fdd93824590f24492b60N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
2668	Tiwi.exe
2392	Shell.exe
4776	Shell.exe
2336	Shell.exe
2344	Shell.exe
1744	Shell.exe
756	Shell.exe
5088	Shell.exe
2928	Shell.exe
3824	Shell.exe
548	Shell.exe
728	Shell.exe
1540	Shell.exe
1444	Shell.exe
4468	Shell.exe
4936	Shell.exe
3604	Shell.exe
1416	Shell.exe
3624	Shell.exe
4000	Shell.exe
1720	Shell.exe
3676	Shell.exe
5048	Shell.exe
3260	Shell.exe
4648	Shell.exe
1204	Shell.exe
4884	Shell.exe
3860	Shell.exe
2904	Shell.exe
4428	Shell.exe
2404	Shell.exe
3360	IExplorer.exe
1688	Shell.exe
3068	Shell.exe
4328	Shell.exe
3964	Shell.exe
4156	Shell.exe
2248	Shell.exe
2068	Shell.exe
2572	Shell.exe
2036	Shell.exe
3492	Shell.exe
3112	Shell.exe
4624	Shell.exe
3440	Shell.exe
3648	Shell.exe
760	Shell.exe
3680	Shell.exe
4776	Shell.exe
224	Shell.exe
3756	Shell.exe
2344	Shell.exe
3604	Shell.exe
2864	Shell.exe
1888	Shell.exe
512	Shell.exe
1500	Shell.exe
3668	Shell.exe
2776	Shell.exe
3888	Shell.exe
2796	Shell.exe
3876	Shell.exe
2772	Tiwi.exe
3812	Shell.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3336-0-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x00070000000233aa-7.dat	upx
behavioral2/files/0x00070000000233a8-94.dat	upx
behavioral2/memory/2668-96-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x00070000000233aa-99.dat	upx
behavioral2/memory/2392-101-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2344-111-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2344-114-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1744-118-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2336-119-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/5088-126-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2928-130-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/756-131-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4776-132-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3336-134-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2668-138-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2392-142-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/728-145-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1540-149-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/548-150-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4468-157-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4936-161-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1444-162-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3824-163-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4000-176-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1720-180-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3624-181-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/5048-188-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3260-192-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3676-193-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1416-194-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3604-202-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4884-205-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3860-209-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1204-210-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4428-217-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2404-221-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2904-222-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4648-223-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/files/0x00070000000233ac-225.dat	upx
behavioral2/memory/3360-226-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3964-242-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4156-246-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4328-247-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2068-254-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2572-258-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2248-259-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3068-260-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3360-265-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1688-269-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3112-272-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4624-276-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3492-277-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3648-284-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/760-288-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3440-289-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2036-290-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3756-303-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2344-307-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/224-308-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/2864-315-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/1888-319-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/3604-320-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral2/memory/4776-321-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	9e6d4dc0b895fdd93824590f24492b60N.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\H:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\J:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\K:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\M:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\S:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\E:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\R:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\U:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\V:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\Z:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\N:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\I:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\L:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\O:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\P:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\B:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\T:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\W:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\X:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\Y:	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened (read-only)	\??\Q:	9e6d4dc0b895fdd93824590f24492b60N.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	9e6d4dc0b895fdd93824590f24492b60N.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened for modification	F:\autorun.inf	9e6d4dc0b895fdd93824590f24492b60N.exe
File created	C:\autorun.inf	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened for modification	C:\autorun.inf	9e6d4dc0b895fdd93824590f24492b60N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	9e6d4dc0b895fdd93824590f24492b60N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	9e6d4dc0b895fdd93824590f24492b60N.exe
File created	C:\Windows\SysWOW64\shell.exe	9e6d4dc0b895fdd93824590f24492b60N.exe
File created	C:\Windows\SysWOW64\tiwi.scr	9e6d4dc0b895fdd93824590f24492b60N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tiwi.exe	9e6d4dc0b895fdd93824590f24492b60N.exe
File created	C:\Windows\tiwi.exe	9e6d4dc0b895fdd93824590f24492b60N.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4552	2668	WerFault.exe	84
388	2392	WerFault.exe	90
2084	4776	WerFault.exe	93
4564	2336	WerFault.exe	96
4888	756	WerFault.exe	103
512	3824	WerFault.exe	110
2360	548	WerFault.exe	113
4344	1444	WerFault.exe	120
4240	3604	WerFault.exe	127
1908	1416	WerFault.exe	130
2244	3624	WerFault.exe	133
2896	3676	WerFault.exe	140
1744	4648	WerFault.exe	147
3344	1204	WerFault.exe	150
3164	2904	WerFault.exe	157
2488	3360	WerFault.exe	164
5072	1688	WerFault.exe	167
3848	3068	WerFault.exe	170
3040	4328	WerFault.exe	173
4080	2248	WerFault.exe	180
264	2036	WerFault.exe	187
624	3492	WerFault.exe	190
3124	3440	WerFault.exe	197
2032	3680	WerFault.exe	204
4804	4776	WerFault.exe	207
1464	224	WerFault.exe	210
3300	3604	WerFault.exe	217
2020	512	WerFault.exe	224
3588	1500	WerFault.exe	227
2248	3888	WerFault.exe	234
5088	2772	WerFault.exe	241
1056	3812	WerFault.exe	244
1028	2808	WerFault.exe	247
4956	4924	WerFault.exe	250
3164	4572	WerFault.exe	257
1540	4364	WerFault.exe	264
3896	744	WerFault.exe	267
2224	3636	WerFault.exe	274
5048	3068	WerFault.exe	281
2248	116	WerFault.exe	284
3964	3888	WerFault.exe	287
2312	3360	WerFault.exe	294
4492	2924	WerFault.exe	301
3388	1064	WerFault.exe	304
2168	5028	WerFault.exe	311
4204	1588	WerFault.exe	328
4988	1588	WerFault.exe	328
2764	4744	WerFault.exe	333
888	2364	WerFault.exe	336
2452	3996	WerFault.exe	339
2404	1244	WerFault.exe	346
2848	4516	WerFault.exe	353
4700	1724	WerFault.exe	356
2908	2772	WerFault.exe	364
1168	3860	WerFault.exe	371
2472	4244	WerFault.exe	374
3112	4824	WerFault.exe	377
5020	3916	WerFault.exe	384
3160	4284	WerFault.exe	391
4644	2864	WerFault.exe	394
2484	1644	WerFault.exe	403
2848	2908	WerFault.exe	410
4064	2908	WerFault.exe	410
348	3472	WerFault.exe	415

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe

Modifies Control Panel 9 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s1159 = "Tiwi"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s2359 = "Tiwi"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\SwapMouseButtons = "1"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	9e6d4dc0b895fdd93824590f24492b60N.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\	9e6d4dc0b895fdd93824590f24492b60N.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	9e6d4dc0b895fdd93824590f24492b60N.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	9e6d4dc0b895fdd93824590f24492b60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	9e6d4dc0b895fdd93824590f24492b60N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3336	9e6d4dc0b895fdd93824590f24492b60N.exe
3336	9e6d4dc0b895fdd93824590f24492b60N.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3336	9e6d4dc0b895fdd93824590f24492b60N.exe
2668	Tiwi.exe
2392	Shell.exe
4776	Shell.exe
2336	Shell.exe
2344	Shell.exe
1744	Shell.exe
756	Shell.exe
5088	Shell.exe
2928	Shell.exe
3824	Shell.exe
548	Shell.exe
728	Shell.exe
1540	Shell.exe
1444	Shell.exe
4468	Shell.exe
4936	Shell.exe
3604	Shell.exe
1416	Shell.exe
3624	Shell.exe
4000	Shell.exe
1720	Shell.exe
3676	Shell.exe
5048	Shell.exe
3260	Shell.exe
4648	Shell.exe
1204	Shell.exe
4884	Shell.exe
3860	Shell.exe
2904	Shell.exe
4428	Shell.exe
2404	Shell.exe
3360	IExplorer.exe
1688	Shell.exe
3068	Shell.exe
4328	Shell.exe
3964	Shell.exe
4156	Shell.exe
2248	Shell.exe
2068	Shell.exe
2572	Shell.exe
2036	Shell.exe
3492	Shell.exe
3112	Shell.exe
4624	Shell.exe
3440	Shell.exe
3648	Shell.exe
760	Shell.exe
3680	Shell.exe
4776	Shell.exe
224	Shell.exe
3756	Shell.exe
2344	Shell.exe
3604	Shell.exe
2864	Shell.exe
1888	Shell.exe
512	Shell.exe
1500	Shell.exe
3668	Shell.exe
2776	Shell.exe
3888	Shell.exe
2796	Shell.exe
3876	Shell.exe
2772	Tiwi.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 2668	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	84
PID 3336 wrote to memory of 2668	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	84
PID 3336 wrote to memory of 2668	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	84
PID 3336 wrote to memory of 3360	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	164
PID 3336 wrote to memory of 3360	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	164
PID 3336 wrote to memory of 3360	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	164
PID 3336 wrote to memory of 2772	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	241
PID 3336 wrote to memory of 2772	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	241
PID 3336 wrote to memory of 2772	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	241
PID 3336 wrote to memory of 3516	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	318
PID 3336 wrote to memory of 3516	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	318
PID 3336 wrote to memory of 3516	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	318
PID 3336 wrote to memory of 668	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	323
PID 3336 wrote to memory of 668	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	323
PID 3336 wrote to memory of 668	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	323
PID 3336 wrote to memory of 1588	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	328
PID 3336 wrote to memory of 1588	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	328
PID 3336 wrote to memory of 1588	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	328
PID 3336 wrote to memory of 3124	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	361
PID 3336 wrote to memory of 3124	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	361
PID 3336 wrote to memory of 3124	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	361
PID 3336 wrote to memory of 4548	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	402
PID 3336 wrote to memory of 4548	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	402
PID 3336 wrote to memory of 4548	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	402
PID 3336 wrote to memory of 2908	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	410
PID 3336 wrote to memory of 2908	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	410
PID 3336 wrote to memory of 2908	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	410
PID 3336 wrote to memory of 944	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	435
PID 3336 wrote to memory of 944	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	435
PID 3336 wrote to memory of 944	3336	9e6d4dc0b895fdd93824590f24492b60N.exe	435

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9e6d4dc0b895fdd93824590f24492b60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	9e6d4dc0b895fdd93824590f24492b60N.exe

C:\Users\Admin\AppData\Local\Temp\9e6d4dc0b895fdd93824590f24492b60N.exe
"C:\Users\Admin\AppData\Local\Temp\9e6d4dc0b895fdd93824590f24492b60N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3336
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 516
    3⤵
    - Program crash
    PID:4552
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 536
        5⤵
        Program crash
        
        PID:388
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 484
        7⤵
        Program crash
        
        PID:2084
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 500
        9⤵
        Program crash
        
        PID:4564
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 500
        9⤵
        Program crash
        
        PID:4888
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5088
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2928
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 488
        7⤵
        Program crash
        
        PID:512
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 504
        9⤵
        Program crash
        
        PID:2360
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 500
        9⤵
        Program crash
        
        PID:4344
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4936
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 484
        5⤵
        Program crash
        
        PID:4240
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 500
        7⤵
        Program crash
        
        PID:1908
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 484
        9⤵
        Program crash
        
        PID:2244
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4000
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 484
        9⤵
        Program crash
        
        PID:2896
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5048
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3260
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 500
        7⤵
        Program crash
        
        PID:1744
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 488
        9⤵
        Program crash
        
        PID:3344
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3860
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 484
        9⤵
        Program crash
        
        PID:3164
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4428
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 516
    3⤵
    - Program crash
    PID:2488
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 484
        5⤵
        Program crash
        
        PID:5072
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 500
        7⤵
        Program crash
        
        PID:3848
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 488
        9⤵
        Program crash
        
        PID:3040
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3964
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4156
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 488
        9⤵
        Program crash
        
        PID:4080
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2572
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 500
        7⤵
        Program crash
        
        PID:264
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 484
        9⤵
        Program crash
        
        PID:624
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3112
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4624
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 488
        9⤵
        Program crash
        
        PID:3124
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3648
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:760
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 488
        5⤵
        Program crash
        
        PID:2032
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 500
        7⤵
        Program crash
        
        PID:4804
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 488
        9⤵
        Program crash
        
        PID:1464
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3756
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 492
        9⤵
        Program crash
        
        PID:3300
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1888
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 504
        7⤵
        Program crash
        
        PID:2020
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 488
        9⤵
        Program crash
        
        PID:3588
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3668
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 484
        9⤵
        Program crash
        
        PID:2248
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3876
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 488
    3⤵
    - Program crash
    PID:5088
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3812
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 508
        5⤵
        Program crash
        
        PID:1056
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 492
        7⤵
        Program crash
        
        PID:1028
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 508
        9⤵
        Program crash
        
        PID:4956
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 508
        9⤵
        Program crash
        
        PID:3164
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 488
        7⤵
        Program crash
        
        PID:1540
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 508
        9⤵
        Program crash
        
        PID:3896
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 508
        9⤵
        Program crash
        
        PID:2224
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      PID:3068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 508
        5⤵
        Program crash
        
        PID:5048
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 488
        7⤵
        Program crash
        
        PID:2248
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 508
        9⤵
        Program crash
        
        PID:3964
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 512
        9⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 492
        7⤵
        Program crash
        
        PID:4492
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 504
        9⤵
        Program crash
        
        PID:3388
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 508
        9⤵
        Program crash
        
        PID:2168
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:1772
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  PID:3516
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:668
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 228
    3⤵
    - Program crash
    PID:4204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 236
    3⤵
    - Program crash
    PID:4988
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      PID:4744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 500
        5⤵
        Program crash
        
        PID:2764
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 488
        7⤵
        Program crash
        
        PID:888
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 500
        9⤵
        Program crash
        
        PID:2452
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 500
        9⤵
        Program crash
        
        PID:2404
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 488
        7⤵
        Program crash
        
        PID:2848
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 500
        9⤵
        Program crash
        
        PID:4700
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 500
        9⤵
        Program crash
        
        PID:2908
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:1500
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      PID:3860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 500
        5⤵
        Program crash
        
        PID:1168
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 488
        7⤵
        Program crash
        
        PID:2472
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 500
        9⤵
        Program crash
        
        PID:3112
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 500
        9⤵
        Program crash
        
        PID:5020
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:4512
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 516
        7⤵
        Program crash
        
        PID:3160
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 492
        9⤵
        Program crash
        
        PID:4644
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 492
        9⤵
        Program crash
        
        PID:2484
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:1864
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  PID:3124
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4548
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 484
    3⤵
    - Program crash
    PID:2848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 504
    3⤵
    - Program crash
    PID:4064
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      PID:3472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 488
        5⤵
        Program crash
        
        PID:348
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 508
        7⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 488
        9⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 488
        9⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 508
        7⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 488
        9⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 488
        9⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 488
        5⤵
        
        PID:4284
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 516
        7⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 488
        9⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        8⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 488
        9⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        10⤵
        
        PID:4744
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2668 -ip 2668
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2392 -ip 2392
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4776 -ip 4776
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2336 -ip 2336
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2344 -ip 2344
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1744 -ip 1744
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 756 -ip 756
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5088 -ip 5088
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2928 -ip 2928
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3824 -ip 3824
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 548 -ip 548
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 728 -ip 728
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1540 -ip 1540
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1444 -ip 1444
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4468 -ip 4468
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4936 -ip 4936
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3604 -ip 3604
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1416 -ip 1416
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3624 -ip 3624
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4000 -ip 4000
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1720 -ip 1720
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3676 -ip 3676
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5048 -ip 5048
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3260 -ip 3260
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4648 -ip 4648
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1204 -ip 1204
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4884 -ip 4884
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3860 -ip 3860
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2904 -ip 2904
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4428 -ip 4428
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2404 -ip 2404
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3360 -ip 3360
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1688 -ip 1688
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3068 -ip 3068
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4328 -ip 4328
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3964 -ip 3964
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4156 -ip 4156
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2248 -ip 2248
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2068 -ip 2068
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2572 -ip 2572
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2036 -ip 2036
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3492 -ip 3492
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3112 -ip 3112
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4624 -ip 4624
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3440 -ip 3440
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3648 -ip 3648
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 760 -ip 760
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3680 -ip 3680
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4776 -ip 4776
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 224 -ip 224
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3756 -ip 3756
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2344 -ip 2344
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3604 -ip 3604
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2864 -ip 2864
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1888 -ip 1888
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 512 -ip 512
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1500 -ip 1500
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3668 -ip 3668
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2776 -ip 2776
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3888 -ip 3888
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2796 -ip 2796
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3876 -ip 3876
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2772 -ip 2772
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3812 -ip 3812
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2808 -ip 2808
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4924 -ip 4924
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5084 -ip 5084
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4716 -ip 4716
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4572 -ip 4572
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1464 -ip 1464
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1772 -ip 1772
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4364 -ip 4364
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 744 -ip 744
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4448 -ip 4448
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4248 -ip 4248
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3636 -ip 3636
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1108 -ip 1108
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4228 -ip 4228
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3068 -ip 3068
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 116 -ip 116
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3888 -ip 3888
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4204 -ip 4204
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4756 -ip 4756
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3360 -ip 3360
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4940 -ip 4940
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4780 -ip 4780
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2924 -ip 2924
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1064 -ip 1064
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3820 -ip 3820
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3800 -ip 3800
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5028 -ip 5028
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1464 -ip 1464
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1772 -ip 1772
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1588 -ip 1588
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1588 -ip 1588
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4744 -ip 4744
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2364 -ip 2364
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3996 -ip 3996
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2312 -ip 2312
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2212 -ip 2212
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1244 -ip 1244
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3344 -ip 3344
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3960 -ip 3960
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4516 -ip 4516
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1724 -ip 1724
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1644 -ip 1644
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4104 -ip 4104
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2772 -ip 2772
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2348 -ip 2348
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1500 -ip 1500
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3860 -ip 3860
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4244 -ip 4244
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4824 -ip 4824
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 684 -ip 684
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1200 -ip 1200
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3916 -ip 3916
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3624 -ip 3624
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4512 -ip 4512
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4284 -ip 4284
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2864 -ip 2864
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4552 -ip 4552
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1252 -ip 1252
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1644 -ip 1644
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2168 -ip 2168
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1864 -ip 1864
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2908 -ip 2908
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2908 -ip 2908
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3472 -ip 3472
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 400 -ip 400
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1908 -ip 1908
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2760 -ip 2760
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3120 -ip 3120
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3624 -ip 3624
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3140 -ip 3140
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4628 -ip 4628
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3388 -ip 3388
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1848 -ip 1848
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3944 -ip 3944
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4564 -ip 4564
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1724 -ip 1724
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2176 -ip 2176
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1452 -ip 1452
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5068 -ip 5068
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1324 -ip 1324
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 748 -ip 748
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1792 -ip 1792
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2848 -ip 2848
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3724 -ip 3724
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4744 -ip 4744
1⤵
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
39653080082ccfabfae5e46d664e2e50

SHA1
b32d6f343ef805d0cf8bbeb0a9ad6416205f78bc

SHA256
5b67b850a367096dda6a1db476ca93b7bb461eff3f09f965a72fd7c8b33e4ec2

SHA512
236e15c6a10e88bb13c069ab5774fff0b056870e3b8d8fd21701c84d9647a18086f83a17733575304d2ad53acf29e5f07ccf79503bbe2ba99d0842e6b5b92477

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
218KB

MD5
0bd8be0cd43c751440c5ff35c5ac6db1

SHA1
b9fd76fb4cdf614da146c1113e62a4627b5fe916

SHA256
f9604e32de96faabc7a2a9c4d36d27fffcdb781330ee851ae6afc707d222bde5

SHA512
c03dc905d18b2b1fc3bf06b145373478f225550f18516cab8ff1d7ad17e517703da352a88c135946e7ee8b758491df843e91188191c7a5080675564e69089a17

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
218KB

MD5
9e6d4dc0b895fdd93824590f24492b60

SHA1
a46e18e11c0e6b7c90edcd52c182e7480a67d383

SHA256
38a02f4754979140af96c26cb7e5eb36218f60677dfa2f3bbc40ea93ac03ccc7

SHA512
344c689924d2d678105156271ec85c7f6a76a1879431b63aa64d51405e7ee0a3c779860d2a23a25d649f69240970005d4143d9a92dc1c50eddff8911aa8eb506

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
218KB

MD5
59dd927e9ceaec33ba537cc99873419a

SHA1
241a77924f2fd7fd7c8f4c8f69c244b1b0721254

SHA256
1cc10b2bbb55ce7a68636795ef85f163dd2a8b55dff54811464f7ee7eace192d

SHA512
ef7875b29b0427200c4113fabafcd980f88c63947db3293a95d7514188549abe06ac055e2121ff921cebf974ad59feadbea18b36c5a3846a91fa2ba15ade828d

Download Submit
C:\Windows\tiwi.exe

Filesize
218KB

MD5
e7adb5bf4201d2bb8fb8534b2ae981ef

SHA1
294bd93f84ebe61ad8ed69ba1d01a0184a3af370

SHA256
d1d3b96b2f67098ef8b95233c216f808dbc9ff1426ee772cf254db5274ad7c36

SHA512
45f33aa62ab80987210c73b2aa694b928f36c95e8b49490c02402c19e6fdd5ec55de3527018120c57379b5db98b4b8e7d603c7cf66cfca301f563817f2f67928

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
memory/116-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/728-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3812-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3812-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download