1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Size

6.1MB
MD5

b6c3c24ef82334f03d1f327425c24cca
SHA1

0ce5d0f630ac8e974948bb79c75cfc6d2af4ec23
SHA256

1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89
SHA512

e00ae88cc9fc46eb56dd97eb1fd06010f24f9dfd3a04e9d0d98317c2fe46f333b31091f182c649b0d44f3337b5a427aec447a4904386e0b633c3d0e401598a99
SSDEEP

98304:7FjmMnkvdYU5sLlpfQzAnpcDL21C0VNO1G0Ov9fGrBAWABE9dua/hQxOX+xQLo:9Bkv0gLDKCYkG0w5GtAWABY8a5QxOlL

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 32 IoCs

flow	pid	Process
17	4616	rundll32.exe
19	4500	rundll32.exe
27	1312	rundll32.exe
28	1388	rundll32.exe
32	4500	rundll32.exe
33	4500	rundll32.exe
36	4616	rundll32.exe
37	1312	rundll32.exe
38	1388	rundll32.exe
40	3592	rundll32.exe
41	3348	rundll32.exe
42	3992	rundll32.exe
43	3592	rundll32.exe
44	3348	rundll32.exe
45	1424	rundll32.exe
47	3992	rundll32.exe
48	1196	rundll32.exe
49	1424	rundll32.exe
50	2516	rundll32.exe
51	2644	rundll32.exe
52	1196	rundll32.exe
53	4392	rundll32.exe
54	2516	rundll32.exe
55	4920	rundll32.exe
56	2644	rundll32.exe
57	4576	rundll32.exe
58	4392	rundll32.exe
59	4920	rundll32.exe
60	2356	rundll32.exe
61	4576	rundll32.exe
62	1160	rundll32.exe
63	5020	rundll32.exe

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe

Loads dropped DLL 32 IoCs

pid	Process
4616	rundll32.exe
4500	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1388	rundll32.exe
204	rundll32.exe
204	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
3592	rundll32.exe
3348	rundll32.exe
3348	rundll32.exe
3992	rundll32.exe
3992	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
1196	rundll32.exe
1196	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2644	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4920	rundll32.exe
4920	rundll32.exe
4576	rundll32.exe
3064	rundll32.exe
3064	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
1160	rundll32.exe
5020	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
1336	3464	WerFault.exe	81
3184	3464	WerFault.exe	81
1772	3464	WerFault.exe	81
268	3464	WerFault.exe	81
4196	3464	WerFault.exe	81
5036	3464	WerFault.exe	81
2820	3464	WerFault.exe	81
4788	3464	WerFault.exe	81
2308	2264	WerFault.exe	100
4044	2264	WerFault.exe	100
2604	2264	WerFault.exe	100
4388	2264	WerFault.exe	100
4080	2264	WerFault.exe	100
3404	2264	WerFault.exe	100
1312	2264	WerFault.exe	100
3916	2264	WerFault.exe	100
1520	2208	WerFault.exe	119
3824	2208	WerFault.exe	119
3724	2208	WerFault.exe	119
1360	2208	WerFault.exe	119
4620	2208	WerFault.exe	119
1192	2208	WerFault.exe	119
2644	2208	WerFault.exe	119
2296	2208	WerFault.exe	119
4660	3464	WerFault.exe	81
2200	2208	WerFault.exe	119
4456	2208	WerFault.exe	119
2340	976	WerFault.exe	138
3628	976	WerFault.exe	138
3488	976	WerFault.exe	138
4444	976	WerFault.exe	138
2604	976	WerFault.exe	138
4388	976	WerFault.exe	138
4080	976	WerFault.exe	138
3476	976	WerFault.exe	138
2716	2264	WerFault.exe	100
3732	976	WerFault.exe	138
4088	3432	WerFault.exe	162
1776	3432	WerFault.exe	162
4884	3432	WerFault.exe	162
2404	3432	WerFault.exe	162
3988	3432	WerFault.exe	162
1556	3432	WerFault.exe	162
3184	3432	WerFault.exe	162
3464	3432	WerFault.exe	162
3160	3432	WerFault.exe	162
1332	1772	WerFault.exe	185
2820	1772	WerFault.exe	185
1128	1772	WerFault.exe	185
2256	1772	WerFault.exe	185
4044	1772	WerFault.exe	185
1208	1772	WerFault.exe	185
3348	1772	WerFault.exe	185
4392	1772	WerFault.exe	185
3828	1772	WerFault.exe	185
3856	1772	WerFault.exe	185
3108	1912	WerFault.exe	207
1316	1912	WerFault.exe	207
2880	1912	WerFault.exe	207
3512	1912	WerFault.exe	207
4932	1912	WerFault.exe	207
2644	1912	WerFault.exe	207
3988	1912	WerFault.exe	207
3632	1912	WerFault.exe	207

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 2264	3464	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	100
PID 3464 wrote to memory of 2264	3464	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	100
PID 3464 wrote to memory of 2264	3464	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	100
PID 2264 wrote to memory of 2208	2264	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	119
PID 2264 wrote to memory of 2208	2264	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	119
PID 2264 wrote to memory of 2208	2264	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	119
PID 2208 wrote to memory of 976	2208	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	138
PID 2208 wrote to memory of 976	2208	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	138
PID 2208 wrote to memory of 976	2208	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	138
PID 3464 wrote to memory of 4616	3464	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	139
PID 3464 wrote to memory of 4616	3464	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	139
PID 3464 wrote to memory of 4616	3464	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	139
PID 2208 wrote to memory of 4500	2208	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	142
PID 2208 wrote to memory of 4500	2208	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	142
PID 2208 wrote to memory of 4500	2208	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	142
PID 976 wrote to memory of 3432	976	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	162
PID 976 wrote to memory of 3432	976	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	162
PID 976 wrote to memory of 3432	976	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	162
PID 2264 wrote to memory of 1312	2264	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	166
PID 2264 wrote to memory of 1312	2264	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	166
PID 2264 wrote to memory of 1312	2264	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	166
PID 976 wrote to memory of 1388	976	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	164
PID 976 wrote to memory of 1388	976	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	164
PID 976 wrote to memory of 1388	976	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	164
PID 3432 wrote to memory of 1772	3432	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	185
PID 3432 wrote to memory of 1772	3432	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	185
PID 3432 wrote to memory of 1772	3432	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	185
PID 3432 wrote to memory of 204	3432	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	186
PID 3432 wrote to memory of 204	3432	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	186
PID 3432 wrote to memory of 204	3432	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	186
PID 1772 wrote to memory of 1912	1772	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	207
PID 1772 wrote to memory of 1912	1772	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	207
PID 1772 wrote to memory of 1912	1772	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	207
PID 1772 wrote to memory of 2312	1772	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	208
PID 1772 wrote to memory of 2312	1772	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	208
PID 1772 wrote to memory of 2312	1772	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	208
PID 1912 wrote to memory of 1872	1912	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	227
PID 1912 wrote to memory of 1872	1912	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	227
PID 1912 wrote to memory of 1872	1912	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	227
PID 1912 wrote to memory of 3592	1912	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	228
PID 1912 wrote to memory of 3592	1912	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	228
PID 1912 wrote to memory of 3592	1912	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	228
PID 1872 wrote to memory of 4184	1872	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	247
PID 1872 wrote to memory of 4184	1872	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	247
PID 1872 wrote to memory of 4184	1872	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	247
PID 1872 wrote to memory of 3348	1872	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	248
PID 1872 wrote to memory of 3348	1872	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	248
PID 1872 wrote to memory of 3348	1872	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	248
PID 4184 wrote to memory of 4028	4184	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	267
PID 4184 wrote to memory of 4028	4184	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	267
PID 4184 wrote to memory of 4028	4184	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	267
PID 4184 wrote to memory of 3992	4184	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	268
PID 4184 wrote to memory of 3992	4184	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	268
PID 4184 wrote to memory of 3992	4184	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	268
PID 4028 wrote to memory of 1012	4028	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	289
PID 4028 wrote to memory of 1012	4028	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	289
PID 4028 wrote to memory of 1012	4028	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	289
PID 4028 wrote to memory of 1424	4028	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	290
PID 4028 wrote to memory of 1424	4028	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	290
PID 4028 wrote to memory of 1424	4028	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	290
PID 1012 wrote to memory of 4620	1012	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	309
PID 1012 wrote to memory of 4620	1012	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	309
PID 1012 wrote to memory of 4620	1012	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	309
PID 1012 wrote to memory of 1196	1012	1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe	310

C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
"C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 628
  2⤵
  - Program crash
  PID:1336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 928
  2⤵
  - Program crash
  PID:3184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 972
  2⤵
  - Program crash
  PID:1772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 980
  2⤵
  - Program crash
  PID:268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1120
  2⤵
  - Program crash
  PID:4196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 936
  2⤵
  - Program crash
  PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1124
  2⤵
  - Program crash
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
  "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 600
    3⤵
    - Program crash
    PID:2308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1044
    3⤵
    - Program crash
    PID:4044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1064
    3⤵
    - Program crash
    PID:2604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1056
    3⤵
    - Program crash
    PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1040
    3⤵
    - Program crash
    PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1104
    3⤵
    - Program crash
    PID:3404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1108
    3⤵
    - Program crash
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
    "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 600
      4⤵
      Program crash
      PID:1520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 996
      4⤵
      Program crash
      PID:3824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1064
      4⤵
      Program crash
      PID:3724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1064
      4⤵
      Program crash
      PID:1360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1004
      4⤵
      Program crash
      PID:4620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1116
      4⤵
      Program crash
      PID:1192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1152
      4⤵
      Program crash
      PID:2644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1160
      4⤵
      Program crash
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
      "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 600
        5⤵
        Program crash
        
        PID:2340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 996
        5⤵
        Program crash
        
        PID:3628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1004
        5⤵
        Program crash
        
        PID:3488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1068
        5⤵
        Program crash
        
        PID:4444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1088
        5⤵
        Program crash
        
        PID:2604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1096
        5⤵
        Program crash
        
        PID:4388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1128
        5⤵
        Program crash
        
        PID:4080
    - - C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 600
        6⤵
        Program crash
        
        PID:4088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 996
        6⤵
        Program crash
        
        PID:1776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1004
        6⤵
        Program crash
        
        PID:4884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1000
        6⤵
        Program crash
        
        PID:2404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1004
        6⤵
        Program crash
        
        PID:3988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1104
        6⤵
        Program crash
        
        PID:1556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1072
        6⤵
        Program crash
        
        PID:3184
      - C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 600
        7⤵
        Program crash
        
        PID:1332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 944
        7⤵
        Program crash
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1072
        7⤵
        Program crash
        
        PID:1128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1060
        7⤵
        Program crash
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1060
        7⤵
        Program crash
        
        PID:4044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 944
        7⤵
        Program crash
        
        PID:1208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1120
        7⤵
        Program crash
        
        PID:3348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1124
        7⤵
        Program crash
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 600
        8⤵
        Program crash
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 980
        8⤵
        Program crash
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1084
        8⤵
        Program crash
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1084
        8⤵
        Program crash
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1116
        8⤵
        Program crash
        
        PID:4932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1080
        8⤵
        Program crash
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1124
        8⤵
        Program crash
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 600
        9⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 940
        9⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 948
        9⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 948
        9⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1088
        9⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1104
        9⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1092
        9⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 600
        10⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 996
        10⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1084
        10⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1084
        10⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1132
        10⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1160
        10⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1136
        10⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 600
        11⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 996
        11⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1004
        11⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1004
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1064
        11⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1112
        11⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1008
        11⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1144
        11⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        11⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 600
        12⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 996
        12⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1088
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1112
        12⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1128
        12⤵
        
        PID:384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1112
        12⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1136
        12⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        12⤵
        Checks computer location settings
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 600
        13⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 940
        13⤵
        
        PID:408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 948
        13⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 948
        13⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1084
        13⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1108
        13⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 948
        13⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        13⤵
        Checks computer location settings
        
        PID:440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 536
        14⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 968
        14⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 984
        14⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 984
        14⤵
        
        PID:816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 984
        14⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1020
        14⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1132
        14⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        14⤵
        Checks computer location settings
        
        PID:1180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 600
        15⤵
        
        PID:528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 996
        15⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1004
        15⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1076
        15⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1100
        15⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1008
        15⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1000
        15⤵
        
        PID:228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 996
        15⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        15⤵
        Checks computer location settings
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 600
        16⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 884
        16⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 920
        16⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1076
        16⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 908
        16⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1076
        16⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1092
        16⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        16⤵
        Checks computer location settings
        
        PID:1672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 608
        17⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 996
        17⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1088
        17⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1088
        17⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1080
        17⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1068
        17⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1000
        17⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        17⤵
        Checks computer location settings
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 600
        18⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 996
        18⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1004
        18⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1116
        18⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1100
        18⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1068
        18⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1136
        18⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1088
        18⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        18⤵
        Checks computer location settings
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 536
        19⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 996
        19⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1004
        19⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1004
        19⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1076
        19⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1132
        19⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1064
        19⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        19⤵
        Checks computer location settings
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 600
        20⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 908
        20⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1008
        20⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1076
        20⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1084
        20⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1020
        20⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 952
        20⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        20⤵
        Checks computer location settings
        
        PID:2116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 600
        21⤵
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 968
        21⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1064
        21⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 976
        21⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1108
        21⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1148
        21⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1156
        21⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d7d891d56b2eb848a7ed15272197aeabb0235e5dfb89a74b93d19e45eb82f89.exe"
        21⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 600
        22⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 996
        22⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1004
        22⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 996
        22⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1100
        22⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1108
        22⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        21⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1004
        21⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1188
        21⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        20⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 996
        20⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 948
        20⤵
        
        PID:420
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        19⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 984
        19⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1164
        19⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        18⤵
        Loads dropped DLL
        
        PID:3064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 984
        18⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1060
        18⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        17⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 984
        17⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1072
        17⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        16⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 936
        16⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1132
        16⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        15⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 984
        15⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1004
        15⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        14⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1004
        14⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1128
        14⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        13⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1004
        13⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1148
        13⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        12⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 984
        12⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1080
        12⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 984
        11⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1148
        11⤵
        
        PID:624
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        10⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 984
        10⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1148
        10⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        9⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1004
        9⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1248
        9⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        8⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1004
        8⤵
        Program crash
        
        PID:3632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1164
        8⤵
        
        PID:216
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        7⤵
        Loads dropped DLL
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1004
        7⤵
        Program crash
        
        PID:3828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1152
        7⤵
        Program crash
        
        PID:3856
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        6⤵
        Loads dropped DLL
        
        PID:204
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 984
        6⤵
        Program crash
        
        PID:3464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1124
        6⤵
        Program crash
        
        PID:3160
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 984
        5⤵
        Program crash
        
        PID:3476
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1124
        5⤵
        Program crash
        
        PID:3732
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:4500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 984
      4⤵
      Program crash
      PID:2200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1260
      4⤵
      Program crash
      PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 988
    3⤵
    - Program crash
    PID:3916
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1136
    3⤵
    - Program crash
    PID:2716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 1048
  2⤵
  - Program crash
  PID:4788
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 612
  2⤵
  - Program crash
  PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3464 -ip 3464
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3464 -ip 3464
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3464 -ip 3464
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3464 -ip 3464
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3464 -ip 3464
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3464 -ip 3464
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3464 -ip 3464
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3464 -ip 3464
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2264 -ip 2264
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2264 -ip 2264
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2264 -ip 2264
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2264 -ip 2264
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2264 -ip 2264
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2264 -ip 2264
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2264 -ip 2264
1⤵
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2264 -ip 2264
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2208 -ip 2208
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2208 -ip 2208
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2208 -ip 2208
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2208 -ip 2208
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2208 -ip 2208
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2208 -ip 2208
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2208 -ip 2208
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2208 -ip 2208
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2208 -ip 2208
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3464 -ip 3464
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2208 -ip 2208
1⤵
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 976 -ip 976
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 976 -ip 976
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 976 -ip 976
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 976 -ip 976
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 976 -ip 976
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 976 -ip 976
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 976 -ip 976
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 976 -ip 976
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2264 -ip 2264
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 976 -ip 976
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3432 -ip 3432
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3432 -ip 3432
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3432 -ip 3432
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3432 -ip 3432
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3432 -ip 3432
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3432 -ip 3432
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3432 -ip 3432
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3432 -ip 3432
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3432 -ip 3432
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1772 -ip 1772
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1772 -ip 1772
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1772 -ip 1772
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1772 -ip 1772
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1772 -ip 1772
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1772 -ip 1772
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1772 -ip 1772
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1772 -ip 1772
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1772 -ip 1772
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1772 -ip 1772
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1912 -ip 1912
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1912 -ip 1912
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1912 -ip 1912
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1912 -ip 1912
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 1912 -ip 1912
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 1912 -ip 1912
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1912 -ip 1912
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 1912 -ip 1912
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 1912 -ip 1912
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 1872 -ip 1872
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 1872 -ip 1872
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 1872 -ip 1872
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 1872 -ip 1872
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 1872 -ip 1872
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 1872 -ip 1872
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 1872 -ip 1872
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 1872 -ip 1872
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 1872 -ip 1872
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4184 -ip 4184
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 4184 -ip 4184
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4184 -ip 4184
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4184 -ip 4184
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4184 -ip 4184
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4184 -ip 4184
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 4184 -ip 4184
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4184 -ip 4184
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4184 -ip 4184
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4028 -ip 4028
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4028 -ip 4028
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4028 -ip 4028
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4028 -ip 4028
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4028 -ip 4028
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4028 -ip 4028
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4028 -ip 4028
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4028 -ip 4028
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 4028 -ip 4028
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4028 -ip 4028
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 1012 -ip 1012
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 1012 -ip 1012
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 1012 -ip 1012
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 1012 -ip 1012
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 1012 -ip 1012
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 1012 -ip 1012
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1012 -ip 1012
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 1012 -ip 1012
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1012 -ip 1012
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 4620 -ip 4620
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4620 -ip 4620
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 4620 -ip 4620
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4620 -ip 4620
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 4620 -ip 4620
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 4620 -ip 4620
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4620 -ip 4620
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4620 -ip 4620
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 4620 -ip 4620
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 440 -ip 440
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 440 -ip 440
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 440 -ip 440
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 440 -ip 440
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 440 -ip 440
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 440 -ip 440
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 440 -ip 440
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 440 -ip 440
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 440 -ip 440
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 1180 -ip 1180
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 1180 -ip 1180
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 1180 -ip 1180
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 1180 -ip 1180
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 1180 -ip 1180
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 1180 -ip 1180
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1180 -ip 1180
1⤵
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1180 -ip 1180
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 1180 -ip 1180
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 1180 -ip 1180
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4524 -ip 4524
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4524 -ip 4524
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 4524 -ip 4524
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 4524 -ip 4524
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4524 -ip 4524
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4524 -ip 4524
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4524 -ip 4524
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4524 -ip 4524
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4524 -ip 4524
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1672 -ip 1672
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 1672 -ip 1672
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 1672 -ip 1672
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 1672 -ip 1672
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 1672 -ip 1672
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1672 -ip 1672
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 1672 -ip 1672
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1672 -ip 1672
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 1672 -ip 1672
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3716 -ip 3716
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 3716 -ip 3716
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3716 -ip 3716
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3716 -ip 3716
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 3716 -ip 3716
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 3716 -ip 3716
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3716 -ip 3716
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 3716 -ip 3716
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 3716 -ip 3716
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 3716 -ip 3716
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2660 -ip 2660
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 2660 -ip 2660
1⤵
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2660 -ip 2660
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 2660 -ip 2660
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 2660 -ip 2660
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 2660 -ip 2660
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 2660 -ip 2660
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 2660 -ip 2660
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 2660 -ip 2660
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 1772 -ip 1772
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 1772 -ip 1772
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1772 -ip 1772
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1772 -ip 1772
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 1772 -ip 1772
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 1772 -ip 1772
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 1772 -ip 1772
1⤵
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 1772 -ip 1772
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 1772 -ip 1772
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 2116 -ip 2116
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 2116 -ip 2116
1⤵
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 2116 -ip 2116
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 2116 -ip 2116
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 2116 -ip 2116
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 2116 -ip 2116
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 2116 -ip 2116
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 2116 -ip 2116
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 2116 -ip 2116
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 4324 -ip 4324
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4324 -ip 4324
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4324 -ip 4324
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 4324 -ip 4324
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 4324 -ip 4324
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4324 -ip 4324
1⤵
PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ad51271590bb99ef0bf1a83cda4299d7

SHA1
db6adee46ebbfdb2a2abeb49583d7d5a9b77a562

SHA256
c8044f955cd156104ea69b78ef78c558c4a648ab72f4b338ae0b64b20c6ee167

SHA512
eb63675f9d1d20b50ae3945334a206988ca24e564eede05cbb7d75490733e1eb115724dd68e2fb78ed1ffc77d859a261bbe0a943bed85348da5972923549bc9a

Download Submit
memory/204-190-0x0000000001F60000-0x00000000022AD000-memory.dmp

Filesize
3.3MB

Download
memory/204-176-0x0000000001F60000-0x00000000022AD000-memory.dmp

Filesize
3.3MB

Download
memory/204-175-0x0000000001F60000-0x00000000022AD000-memory.dmp

Filesize
3.3MB

Download
memory/440-248-0x00000000028B8000-0x0000000002EA2000-memory.dmp

Filesize
5.9MB

Download
memory/976-166-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/976-155-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/976-154-0x0000000002821000-0x0000000002E0B000-memory.dmp

Filesize
5.9MB

Download
memory/1012-230-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1012-228-0x000000000291A000-0x0000000002F04000-memory.dmp

Filesize
5.9MB

Download
memory/1012-237-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1196-236-0x0000000001F60000-0x00000000022AD000-memory.dmp

Filesize
3.3MB

Download
memory/1312-160-0x0000000002560000-0x00000000028AD000-memory.dmp

Filesize
3.3MB

Download
memory/1312-162-0x0000000002560000-0x00000000028AD000-memory.dmp

Filesize
3.3MB

Download
memory/1312-180-0x0000000002560000-0x00000000028AD000-memory.dmp

Filesize
3.3MB

Download
memory/1388-181-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1388-164-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1424-238-0x0000000001FA0000-0x00000000022ED000-memory.dmp

Filesize
3.3MB

Download
memory/1424-225-0x0000000001FA0000-0x00000000022ED000-memory.dmp

Filesize
3.3MB

Download
memory/1424-226-0x0000000001FA0000-0x00000000022ED000-memory.dmp

Filesize
3.3MB

Download
memory/1772-189-0x0000000002852000-0x0000000002E3C000-memory.dmp

Filesize
5.9MB

Download
memory/1772-179-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1772-178-0x0000000002852000-0x0000000002E3C000-memory.dmp

Filesize
5.9MB

Download
memory/1772-188-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1872-207-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1872-198-0x00000000027C7000-0x0000000002DB1000-memory.dmp

Filesize
5.9MB

Download
memory/1872-199-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1912-192-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1912-191-0x00000000027D3000-0x0000000002DBD000-memory.dmp

Filesize
5.9MB

Download
memory/1912-197-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2208-151-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2208-153-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2208-140-0x00000000029D7000-0x0000000002FC1000-memory.dmp

Filesize
5.9MB

Download
memory/2208-141-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2264-136-0x0000000002940000-0x0000000002F2A000-memory.dmp

Filesize
5.9MB

Download
memory/2264-142-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2264-137-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2264-165-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2312-187-0x0000000002570000-0x00000000028BD000-memory.dmp

Filesize
3.3MB

Download
memory/2312-186-0x0000000002570000-0x00000000028BD000-memory.dmp

Filesize
3.3MB

Download
memory/2312-200-0x0000000002570000-0x00000000028BD000-memory.dmp

Filesize
3.3MB

Download
memory/2356-301-0x0000000002630000-0x000000000297D000-memory.dmp

Filesize
3.3MB

Download
memory/2516-245-0x0000000002300000-0x000000000264D000-memory.dmp

Filesize
3.3MB

Download
memory/2516-246-0x0000000002300000-0x000000000264D000-memory.dmp

Filesize
3.3MB

Download
memory/3064-291-0x00000000023F0000-0x000000000273D000-memory.dmp

Filesize
3.3MB

Download
memory/3348-205-0x0000000002340000-0x000000000268D000-memory.dmp

Filesize
3.3MB

Download
memory/3348-220-0x0000000002340000-0x000000000268D000-memory.dmp

Filesize
3.3MB

Download
memory/3348-206-0x0000000002340000-0x000000000268D000-memory.dmp

Filesize
3.3MB

Download
memory/3432-168-0x000000000284E000-0x0000000002E38000-memory.dmp

Filesize
5.9MB

Download
memory/3432-177-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3432-169-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3464-133-0x0000000002F60000-0x0000000003580000-memory.dmp

Filesize
6.1MB

Download
memory/3464-134-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3464-132-0x0000000002967000-0x0000000002F51000-memory.dmp

Filesize
5.9MB

Download
memory/3464-139-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3464-150-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3592-196-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/3592-210-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/3992-216-0x00000000022F0000-0x000000000263D000-memory.dmp

Filesize
3.3MB

Download
memory/3992-215-0x00000000022F0000-0x000000000263D000-memory.dmp

Filesize
3.3MB

Download
memory/3992-229-0x00000000022F0000-0x000000000263D000-memory.dmp

Filesize
3.3MB

Download
memory/4028-227-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4028-218-0x00000000028C7000-0x0000000002EB1000-memory.dmp

Filesize
5.9MB

Download
memory/4028-219-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4184-208-0x000000000290D000-0x0000000002EF7000-memory.dmp

Filesize
5.9MB

Download
memory/4184-217-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4184-209-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4392-263-0x0000000002540000-0x000000000288D000-memory.dmp

Filesize
3.3MB

Download
memory/4500-152-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4500-170-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4616-167-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4616-147-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4620-239-0x00000000028BA000-0x0000000002EA4000-memory.dmp

Filesize
5.9MB

Download
memory/4620-247-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4620-240-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4920-273-0x0000000002160000-0x00000000024AD000-memory.dmp

Filesize
3.3MB

Download