smokeloader | 861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2022 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f.exe
Size

209KB
MD5

7926391003b01152d1336849a984a08e
SHA1

a0ebce5a2f02bb1277918ac9e430513d50e2bf16
SHA256

861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f
SHA512

48337f2ce552120573b704af83d9f269b6c7e0da0f27e01bad147da149d42d28aaa12e08288399b559dcb237e97b089f5112509886463c46524cae3d04a34d48
SSDEEP

3072:AkTw15g6T8GZs6ULOx9hJ655/54a2Bym6cioCQam4YdZqMFVmSx:AkM1VT/Zs9LMhJlxkmfcUZZFVmS

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/3540-133-0x0000000000720000-0x0000000000729000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 26 IoCs

flow	pid	Process
69	4708	rundll32.exe
70	3580	rundll32.exe
71	2136	rundll32.exe
72	4708	rundll32.exe
73	948	rundll32.exe
74	2136	rundll32.exe
75	3580	rundll32.exe
76	2804	rundll32.exe
77	948	rundll32.exe
78	3444	rundll32.exe
79	2804	rundll32.exe
80	4312	rundll32.exe
81	3444	rundll32.exe
82	3968	rundll32.exe
83	4312	rundll32.exe
84	1736	rundll32.exe
85	1780	rundll32.exe
86	3968	rundll32.exe
87	3984	rundll32.exe
88	1736	rundll32.exe
89	1780	rundll32.exe
90	3508	rundll32.exe
91	4100	rundll32.exe
92	3984	rundll32.exe
93	3508	rundll32.exe
94	4100	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

pid	Process
396	5851.exe
2112	5851.exe
1760	5851.exe
3336	5851.exe
2460	5851.exe
4996	5851.exe
1104	5851.exe
1968	5851.exe
4392	5851.exe
3928	5851.exe
364	5851.exe
2204	5851.exe
1100	5851.exe
1916	5851.exe
756	5851.exe
3540	5851.exe
2712	5851.exe
4636	5851.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5851.exe

Loads dropped DLL 21 IoCs

pid	Process
4528	rundll32.exe
4708	rundll32.exe
3580	rundll32.exe
2136	rundll32.exe
948	rundll32.exe
948	rundll32.exe
2804	rundll32.exe
3444	rundll32.exe
3444	rundll32.exe
4312	rundll32.exe
4312	rundll32.exe
3968	rundll32.exe
1736	rundll32.exe
1736	rundll32.exe
1780	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3508	rundll32.exe
4100	rundll32.exe
2952	rundll32.exe
3904	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3160	396	WerFault.exe	88
4740	396	WerFault.exe	88
2276	396	WerFault.exe	88
5008	396	WerFault.exe	88
1180	396	WerFault.exe	88
5104	396	WerFault.exe	88
2700	396	WerFault.exe	88
4948	396	WerFault.exe	88
1684	2112	WerFault.exe	104
3992	2112	WerFault.exe	104
3580	2112	WerFault.exe	104
624	2112	WerFault.exe	104
5096	2112	WerFault.exe	104
1932	2112	WerFault.exe	104
2268	2112	WerFault.exe	104
2176	2112	WerFault.exe	104
4108	1760	WerFault.exe	121
4088	1760	WerFault.exe	121
2204	1760	WerFault.exe	121
340	1760	WerFault.exe	121
3552	1760	WerFault.exe	121
2064	1760	WerFault.exe	121
4276	1760	WerFault.exe	121
4812	1760	WerFault.exe	121
4184	396	WerFault.exe	88
1912	1760	WerFault.exe	121
3112	1760	WerFault.exe	121
2120	3336	WerFault.exe	143
5104	3336	WerFault.exe	143
4952	3336	WerFault.exe	143
3260	3336	WerFault.exe	143
3584	3336	WerFault.exe	143
3948	3336	WerFault.exe	143
1956	2112	WerFault.exe	104
3048	3336	WerFault.exe	143
1440	3336	WerFault.exe	143
2216	3336	WerFault.exe	143
2412	3336	WerFault.exe	143
2688	2460	WerFault.exe	168
3304	2460	WerFault.exe	168
3968	2460	WerFault.exe	168
4332	2460	WerFault.exe	168
4648	2460	WerFault.exe	168
3232	2460	WerFault.exe	168
4680	2460	WerFault.exe	168
1820	2460	WerFault.exe	168
4776	2460	WerFault.exe	168
4888	4996	WerFault.exe	188
5008	4996	WerFault.exe	188
4488	4996	WerFault.exe	188
808	4996	WerFault.exe	188
3520	4996	WerFault.exe	188
3992	4996	WerFault.exe	188
4084	4996	WerFault.exe	188
480	4996	WerFault.exe	188
3036	4996	WerFault.exe	188
3224	1104	WerFault.exe	208
2868	1104	WerFault.exe	208
4576	1104	WerFault.exe	208
1404	1104	WerFault.exe	208
1780	1104	WerFault.exe	208
3304	1104	WerFault.exe	208
2716	1104	WerFault.exe	208
4276	1104	WerFault.exe	208

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f.exe
3540	861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f.exe
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found
2440	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3540	861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found
Token: SeShutdownPrivilege	2440	Process not Found
Token: SeCreatePagefilePrivilege	2440	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 396	2440	Process not Found	88
PID 2440 wrote to memory of 396	2440	Process not Found	88
PID 2440 wrote to memory of 396	2440	Process not Found	88
PID 396 wrote to memory of 2112	396	5851.exe	104
PID 396 wrote to memory of 2112	396	5851.exe	104
PID 396 wrote to memory of 2112	396	5851.exe	104
PID 2112 wrote to memory of 1760	2112	5851.exe	121
PID 2112 wrote to memory of 1760	2112	5851.exe	121
PID 2112 wrote to memory of 1760	2112	5851.exe	121
PID 396 wrote to memory of 4528	396	5851.exe	140
PID 396 wrote to memory of 4528	396	5851.exe	140
PID 396 wrote to memory of 4528	396	5851.exe	140
PID 1760 wrote to memory of 3336	1760	5851.exe	143
PID 1760 wrote to memory of 3336	1760	5851.exe	143
PID 1760 wrote to memory of 3336	1760	5851.exe	143
PID 1760 wrote to memory of 4708	1760	5851.exe	144
PID 1760 wrote to memory of 4708	1760	5851.exe	144
PID 1760 wrote to memory of 4708	1760	5851.exe	144
PID 2112 wrote to memory of 3580	2112	5851.exe	161
PID 2112 wrote to memory of 3580	2112	5851.exe	161
PID 2112 wrote to memory of 3580	2112	5851.exe	161
PID 3336 wrote to memory of 2460	3336	5851.exe	168
PID 3336 wrote to memory of 2460	3336	5851.exe	168
PID 3336 wrote to memory of 2460	3336	5851.exe	168
PID 3336 wrote to memory of 2136	3336	5851.exe	169
PID 3336 wrote to memory of 2136	3336	5851.exe	169
PID 3336 wrote to memory of 2136	3336	5851.exe	169
PID 2460 wrote to memory of 4996	2460	5851.exe	188
PID 2460 wrote to memory of 4996	2460	5851.exe	188
PID 2460 wrote to memory of 4996	2460	5851.exe	188
PID 2460 wrote to memory of 948	2460	5851.exe	189
PID 2460 wrote to memory of 948	2460	5851.exe	189
PID 2460 wrote to memory of 948	2460	5851.exe	189
PID 4996 wrote to memory of 1104	4996	5851.exe	208
PID 4996 wrote to memory of 1104	4996	5851.exe	208
PID 4996 wrote to memory of 1104	4996	5851.exe	208
PID 4996 wrote to memory of 2804	4996	5851.exe	209
PID 4996 wrote to memory of 2804	4996	5851.exe	209
PID 4996 wrote to memory of 2804	4996	5851.exe	209
PID 1104 wrote to memory of 1968	1104	5851.exe	230
PID 1104 wrote to memory of 1968	1104	5851.exe	230
PID 1104 wrote to memory of 1968	1104	5851.exe	230
PID 1104 wrote to memory of 3444	1104	5851.exe	231
PID 1104 wrote to memory of 3444	1104	5851.exe	231
PID 1104 wrote to memory of 3444	1104	5851.exe	231
PID 1968 wrote to memory of 4392	1968	5851.exe	252
PID 1968 wrote to memory of 4392	1968	5851.exe	252
PID 1968 wrote to memory of 4392	1968	5851.exe	252
PID 1968 wrote to memory of 4312	1968	5851.exe	253
PID 1968 wrote to memory of 4312	1968	5851.exe	253
PID 1968 wrote to memory of 4312	1968	5851.exe	253
PID 4392 wrote to memory of 3928	4392	5851.exe	274
PID 4392 wrote to memory of 3928	4392	5851.exe	274
PID 4392 wrote to memory of 3928	4392	5851.exe	274
PID 4392 wrote to memory of 3968	4392	5851.exe	275
PID 4392 wrote to memory of 3968	4392	5851.exe	275
PID 4392 wrote to memory of 3968	4392	5851.exe	275
PID 3928 wrote to memory of 364	3928	5851.exe	294
PID 3928 wrote to memory of 364	3928	5851.exe	294
PID 3928 wrote to memory of 364	3928	5851.exe	294
PID 3928 wrote to memory of 1736	3928	5851.exe	295
PID 3928 wrote to memory of 1736	3928	5851.exe	295
PID 3928 wrote to memory of 1736	3928	5851.exe	295
PID 364 wrote to memory of 2204	364	5851.exe	314

C:\Users\Admin\AppData\Local\Temp\861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f.exe
"C:\Users\Admin\AppData\Local\Temp\861cdf989a96190939df8f34a2dd3704a14529e51a42b067bf6815d53352eb7f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3540

C:\Users\Admin\AppData\Local\Temp\5851.exe
C:\Users\Admin\AppData\Local\Temp\5851.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 568
  2⤵
  - Program crash
  PID:3160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 908
  2⤵
  - Program crash
  PID:4740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 920
  2⤵
  - Program crash
  PID:2276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 968
  2⤵
  - Program crash
  PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1120
  2⤵
  - Program crash
  PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1144
  2⤵
  - Program crash
  PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1124
  2⤵
  - Program crash
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\5851.exe
  "C:\Users\Admin\AppData\Local\Temp\5851.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 608
    3⤵
    - Program crash
    PID:1684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 996
    3⤵
    - Program crash
    PID:3992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1004
    3⤵
    - Program crash
    PID:3580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1092
    3⤵
    - Program crash
    PID:624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1064
    3⤵
    - Program crash
    PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1092
    3⤵
    - Program crash
    PID:1932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1128
    3⤵
    - Program crash
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\5851.exe
    "C:\Users\Admin\AppData\Local\Temp\5851.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 600
      4⤵
      Program crash
      PID:4108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 996
      4⤵
      Program crash
      PID:4088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1064
      4⤵
      Program crash
      PID:2204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1008
      4⤵
      Program crash
      PID:340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 992
      4⤵
      Program crash
      PID:3552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1104
      4⤵
      Program crash
      PID:2064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1132
      4⤵
      Program crash
      PID:4276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1144
      4⤵
      Program crash
      PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\5851.exe
      "C:\Users\Admin\AppData\Local\Temp\5851.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 472
        5⤵
        Program crash
        
        PID:2120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1004
        5⤵
        Program crash
        
        PID:5104
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1064
        5⤵
        Program crash
        
        PID:4952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1072
        5⤵
        Program crash
        
        PID:3260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1120
        5⤵
        Program crash
        
        PID:3584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1080
        5⤵
        Program crash
        
        PID:3948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1016
        5⤵
        Program crash
        
        PID:3048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1012
        5⤵
        Program crash
        
        PID:1440
    - - C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 600
        6⤵
        Program crash
        
        PID:2688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 996
        6⤵
        Program crash
        
        PID:3304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 992
        6⤵
        Program crash
        
        PID:3968
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 992
        6⤵
        Program crash
        
        PID:4332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1088
        6⤵
        Program crash
        
        PID:4648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1116
        6⤵
        Program crash
        
        PID:3232
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1144
        6⤵
        Program crash
        
        PID:4680
      - C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 600
        7⤵
        Program crash
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 996
        7⤵
        Program crash
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1004
        7⤵
        Program crash
        
        PID:4488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1080
        7⤵
        Program crash
        
        PID:808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1080
        7⤵
        Program crash
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1088
        7⤵
        Program crash
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1092
        7⤵
        Program crash
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 536
        8⤵
        Program crash
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 996
        8⤵
        Program crash
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1064
        8⤵
        Program crash
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1064
        8⤵
        Program crash
        
        PID:1404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1088
        8⤵
        Program crash
        
        PID:1780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1096
        8⤵
        Program crash
        
        PID:3304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1132
        8⤵
        Program crash
        
        PID:2716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1156
        8⤵
        Program crash
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 600
        9⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 944
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 956
        9⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 956
        9⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1060
        9⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 960
        9⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1120
        9⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 952
        9⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 608
        10⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 896
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1056
        10⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1080
        10⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1088
        10⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1128
        10⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1088
        10⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1188
        10⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 600
        11⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 948
        11⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1084
        11⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1084
        11⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1104
        11⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1080
        11⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1100
        11⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 600
        12⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 996
        12⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1004
        12⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1004
        12⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1112
        12⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1160
        12⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1080
        12⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 472
        13⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 996
        13⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1084
        13⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1084
        13⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1080
        13⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1004
        13⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1104
        13⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1096
        13⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 536
        14⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 996
        14⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1004
        14⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1068
        14⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1076
        14⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1112
        14⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1076
        14⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 600
        15⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 996
        15⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1064
        15⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1072
        15⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1004
        15⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1108
        15⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1064
        15⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 600
        16⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 908
        16⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1012
        16⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1076
        16⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1008
        16⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1008
        16⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1116
        16⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 600
        17⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 896
        17⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 904
        17⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1084
        17⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 948
        17⤵
        
        PID:960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 948
        17⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1100
        17⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 600
        18⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 996
        18⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 992
        18⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1072
        18⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1120
        18⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1100
        18⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1128
        18⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\5851.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5851.exe"
        18⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        18⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 984
        18⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1076
        18⤵
        
        PID:552
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        17⤵
        Loads dropped DLL
        
        PID:3904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1016
        17⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1132
        17⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        16⤵
        Loads dropped DLL
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 988
        16⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1144
        16⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        15⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 984
        15⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1140
        15⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        14⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 984
        14⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1064
        14⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        13⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 984
        13⤵
        
        PID:432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1152
        13⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        12⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 984
        12⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 1300
        12⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1004
        11⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 600
        11⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        10⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 976
        10⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 608
        10⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        9⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1004
        9⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1148
        9⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        8⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 984
        8⤵
        
        PID:620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1212
        8⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        7⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:2804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 984
        7⤵
        Program crash
        
        PID:480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1124
        7⤵
        Program crash
        
        PID:3036
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 984
        6⤵
        Program crash
        
        PID:1820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1112
        6⤵
        Program crash
        
        PID:4776
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:2136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 992
        5⤵
        Program crash
        
        PID:2216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1004
        5⤵
        Program crash
        
        PID:2412
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:4708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 984
      4⤵
      Program crash
      PID:1912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1164
      4⤵
      Program crash
      PID:3112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 984
    3⤵
    - Program crash
    PID:2176
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:3580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 1244
    3⤵
    - Program crash
    PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1048
  2⤵
  - Program crash
  PID:4948
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
  2⤵
  - Loads dropped DLL
  PID:4528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1164
  2⤵
  - Program crash
  PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 396 -ip 396
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 396 -ip 396
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 396 -ip 396
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 396 -ip 396
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 396 -ip 396
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 396 -ip 396
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 396 -ip 396
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 396 -ip 396
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2112 -ip 2112
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2112 -ip 2112
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2112 -ip 2112
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2112 -ip 2112
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2112 -ip 2112
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2112 -ip 2112
1⤵
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2112 -ip 2112
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2112 -ip 2112
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1760 -ip 1760
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1760 -ip 1760
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1760 -ip 1760
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1760 -ip 1760
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1760 -ip 1760
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1760 -ip 1760
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1760 -ip 1760
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1760 -ip 1760
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 396 -ip 396
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1760 -ip 1760
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1760 -ip 1760
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3336 -ip 3336
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3336 -ip 3336
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3336 -ip 3336
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3336 -ip 3336
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3336 -ip 3336
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3336 -ip 3336
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2112 -ip 2112
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3336 -ip 3336
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3336 -ip 3336
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3336 -ip 3336
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3336 -ip 3336
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2460 -ip 2460
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2460 -ip 2460
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2460 -ip 2460
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2460 -ip 2460
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2460 -ip 2460
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2460 -ip 2460
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2460 -ip 2460
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2460 -ip 2460
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2460 -ip 2460
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4996 -ip 4996
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4996 -ip 4996
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4996 -ip 4996
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4996 -ip 4996
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4996 -ip 4996
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4996 -ip 4996
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4996 -ip 4996
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4996 -ip 4996
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4996 -ip 4996
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1104 -ip 1104
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1104 -ip 1104
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1104 -ip 1104
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1104 -ip 1104
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1104 -ip 1104
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1104 -ip 1104
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1104 -ip 1104
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1104 -ip 1104
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1104 -ip 1104
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1104 -ip 1104
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1968 -ip 1968
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1968 -ip 1968
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1968 -ip 1968
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1968 -ip 1968
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1968 -ip 1968
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1968 -ip 1968
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1968 -ip 1968
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1968 -ip 1968
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1968 -ip 1968
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1968 -ip 1968
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4392 -ip 4392
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4392 -ip 4392
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4392 -ip 4392
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4392 -ip 4392
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4392 -ip 4392
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4392 -ip 4392
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4392 -ip 4392
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4392 -ip 4392
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4392 -ip 4392
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4392 -ip 4392
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3928 -ip 3928
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3928 -ip 3928
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3928 -ip 3928
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3928 -ip 3928
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3928 -ip 3928
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3928 -ip 3928
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3928 -ip 3928
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3928 -ip 3928
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3928 -ip 3928
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 364 -ip 364
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 364 -ip 364
1⤵
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 364 -ip 364
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 364 -ip 364
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 364 -ip 364
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 364 -ip 364
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 364 -ip 364
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 364 -ip 364
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 364 -ip 364
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2204 -ip 2204
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2204 -ip 2204
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2204 -ip 2204
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2204 -ip 2204
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2204 -ip 2204
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2204 -ip 2204
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2204 -ip 2204
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2204 -ip 2204
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2204 -ip 2204
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2204 -ip 2204
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1100 -ip 1100
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1100 -ip 1100
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1100 -ip 1100
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1100 -ip 1100
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1100 -ip 1100
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1100 -ip 1100
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1100 -ip 1100
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1100 -ip 1100
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1100 -ip 1100
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1916 -ip 1916
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1916 -ip 1916
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1916 -ip 1916
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1916 -ip 1916
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1916 -ip 1916
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1916 -ip 1916
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1916 -ip 1916
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1916 -ip 1916
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1916 -ip 1916
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 756 -ip 756
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 756 -ip 756
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 756 -ip 756
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 756 -ip 756
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 756 -ip 756
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 756 -ip 756
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 756 -ip 756
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 756 -ip 756
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 756 -ip 756
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3540 -ip 3540
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3540 -ip 3540
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3540 -ip 3540
1⤵
PID:176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3540 -ip 3540
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3540 -ip 3540
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3540 -ip 3540
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3540 -ip 3540
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3540 -ip 3540
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3540 -ip 3540
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2712 -ip 2712
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2712 -ip 2712
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2712 -ip 2712
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2712 -ip 2712
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2712 -ip 2712
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2712 -ip 2712
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2712 -ip 2712
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2712 -ip 2712
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2712 -ip 2712
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\5851.exe

Filesize
6.1MB

MD5
8d9a22060a21621c75badb68f5c215d9

SHA1
f0249e39bb4b35f3b3f3aacde0a34fd9607a732a

SHA256
e44c1df0b169c90c3e39143dba455bf0a15b1da0113d254e35dc724824935fdd

SHA512
290b71f7cc748cd0f6681dced7264ef2e33c26cf6e23ab2d68325573911cb4c7ff113ed6a7d8a6313d3268feaea07a3bd553b0c129142b41d29c73a43e247994

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
8d0a39fe076a5a72b1d9e7fe6738f71d

SHA1
6532a0181ab76822280e80b1c84f2eff5948d345

SHA256
b85cfe8ff13bc533f0da69144353b3923fcfe54c0dacada10d0c474453e143d2

SHA512
032c5560f19380dcf25f553cb60786b2964a33b12a838d992951da25d2d043a093e6a68b7db4cc3899abe7346b3cfe90a09920402533c0ff033b5fc66902d14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
1.8MB

MD5
72f207c7281362da25d5e6a5b3c50092

SHA1
a4cd5f2e285b6079869ffce221777ab69cd90a7c

SHA256
5592ca8f0d978cf5ae26d560488553a322e28f97b2db7129da768529a87126b0

SHA512
013094aeb415ea193e009f047d9ec8e509832a3afd714043267cf38eaa911dda883ca5b63cc376882ab5bf33cee7411da8c4eacdced7cdda084f04f30cfe77cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
1.8MB

MD5
2f70870512de1ccbb0a98e69b9031981

SHA1
31cd56198e7576cf9686ba54b202d209808a7093

SHA256
138657aeaa58c94eb7718c6989c7a3daddc50797f501c82ae99f70663e6a7f87

SHA512
95b4d6ba57fa37d813883a0929c42410eccb611d2ac2e15ab26b3d316bc53baa13b30afa6d7f218e7628a58e5e03b3dd45b3ca84ac2c19dc9db2437890a5d5cc

Download Submit
memory/364-248-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/364-241-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/364-240-0x000000000291B000-0x0000000002F05000-memory.dmp

Filesize
5.9MB

Download
memory/364-232-0x0000000000000000-mapping.dmp

Download
memory/396-141-0x0000000002ED0000-0x00000000034F0000-memory.dmp

Filesize
6.1MB

Download
memory/396-137-0x0000000000000000-mapping.dmp

Download
memory/396-158-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/396-149-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/396-142-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/396-140-0x00000000028DA000-0x0000000002EC4000-memory.dmp

Filesize
5.9MB

Download
memory/756-271-0x0000000000000000-mapping.dmp

Download
memory/948-182-0x0000000000000000-mapping.dmp

Download
memory/948-186-0x00000000020C0000-0x000000000240D000-memory.dmp

Filesize
3.3MB

Download
memory/948-185-0x00000000020C0000-0x000000000240D000-memory.dmp

Filesize
3.3MB

Download
memory/948-200-0x00000000020C0000-0x000000000240D000-memory.dmp

Filesize
3.3MB

Download
memory/1100-252-0x0000000000000000-mapping.dmp

Download
memory/1104-198-0x000000000283E000-0x0000000002E28000-memory.dmp

Filesize
5.9MB

Download
memory/1104-192-0x0000000000000000-mapping.dmp

Download
memory/1104-208-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1104-199-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1612-300-0x0000000000000000-mapping.dmp

Download
memory/1612-303-0x00000000021D0000-0x000000000251D000-memory.dmp

Filesize
3.3MB

Download
memory/1736-238-0x0000000002350000-0x000000000269D000-memory.dmp

Filesize
3.3MB

Download
memory/1736-251-0x0000000002350000-0x000000000269D000-memory.dmp

Filesize
3.3MB

Download
memory/1736-234-0x0000000000000000-mapping.dmp

Download
memory/1736-237-0x0000000002350000-0x000000000269D000-memory.dmp

Filesize
3.3MB

Download
memory/1760-150-0x00000000028B3000-0x0000000002E9D000-memory.dmp

Filesize
5.9MB

Download
memory/1760-163-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1760-151-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1760-147-0x0000000000000000-mapping.dmp

Download
memory/1780-247-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1780-245-0x0000000000000000-mapping.dmp

Download
memory/1916-263-0x0000000000000000-mapping.dmp

Download
memory/1968-219-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1968-201-0x0000000000000000-mapping.dmp

Download
memory/1968-209-0x000000000291B000-0x0000000002F05000-memory.dmp

Filesize
5.9MB

Download
memory/1968-210-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2112-168-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2112-152-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2112-146-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2112-145-0x0000000002857000-0x0000000002E41000-memory.dmp

Filesize
5.9MB

Download
memory/2112-143-0x0000000000000000-mapping.dmp

Download
memory/2136-174-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2136-191-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2136-172-0x0000000000000000-mapping.dmp

Download
memory/2204-250-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2204-249-0x0000000002855000-0x0000000002E3F000-memory.dmp

Filesize
5.9MB

Download
memory/2204-243-0x0000000000000000-mapping.dmp

Download
memory/2460-177-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2460-170-0x0000000000000000-mapping.dmp

Download
memory/2460-176-0x0000000002810000-0x0000000002DFA000-memory.dmp

Filesize
5.9MB

Download
memory/2460-187-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2712-289-0x0000000000000000-mapping.dmp

Download
memory/2804-211-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2804-196-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2804-194-0x0000000000000000-mapping.dmp

Download
memory/2952-282-0x0000000000000000-mapping.dmp

Download
memory/3336-165-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3336-175-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3336-157-0x0000000000000000-mapping.dmp

Download
memory/3336-164-0x0000000002900000-0x0000000002EEA000-memory.dmp

Filesize
5.9MB

Download
memory/3444-203-0x0000000000000000-mapping.dmp

Download
memory/3444-206-0x0000000002040000-0x000000000238D000-memory.dmp

Filesize
3.3MB

Download
memory/3444-207-0x0000000002040000-0x000000000238D000-memory.dmp

Filesize
3.3MB

Download
memory/3444-222-0x0000000002040000-0x000000000238D000-memory.dmp

Filesize
3.3MB

Download
memory/3508-265-0x0000000000000000-mapping.dmp

Download
memory/3540-280-0x0000000000000000-mapping.dmp

Download
memory/3540-132-0x000000000087E000-0x000000000088E000-memory.dmp

Filesize
64KB

Download
memory/3540-133-0x0000000000720000-0x0000000000729000-memory.dmp

Filesize
36KB

Download
memory/3540-134-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/3540-136-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/3540-135-0x000000000087E000-0x000000000088E000-memory.dmp

Filesize
64KB

Download
memory/3580-166-0x0000000000000000-mapping.dmp

Download
memory/3580-169-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/3580-188-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/3904-291-0x0000000000000000-mapping.dmp

Download
memory/3928-230-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3928-239-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3928-223-0x0000000000000000-mapping.dmp

Download
memory/3928-229-0x00000000028AC000-0x0000000002E96000-memory.dmp

Filesize
5.9MB

Download
memory/3968-227-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/3968-242-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/3968-225-0x0000000000000000-mapping.dmp

Download
memory/3984-257-0x00000000022F0000-0x000000000263D000-memory.dmp

Filesize
3.3MB

Download
memory/3984-254-0x0000000000000000-mapping.dmp

Download
memory/4100-273-0x0000000000000000-mapping.dmp

Download
memory/4312-214-0x0000000000000000-mapping.dmp

Download
memory/4312-218-0x0000000002040000-0x000000000238D000-memory.dmp

Filesize
3.3MB

Download
memory/4312-231-0x0000000002040000-0x000000000238D000-memory.dmp

Filesize
3.3MB

Download
memory/4392-220-0x0000000002A34000-0x000000000301E000-memory.dmp

Filesize
5.9MB

Download
memory/4392-221-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4392-228-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4392-212-0x0000000000000000-mapping.dmp

Download
memory/4528-156-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4528-153-0x0000000000000000-mapping.dmp

Download
memory/4528-178-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4636-298-0x0000000000000000-mapping.dmp

Download
memory/4708-159-0x0000000000000000-mapping.dmp

Download
memory/4708-179-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4708-162-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4996-190-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4996-197-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4996-189-0x0000000002845000-0x0000000002E2F000-memory.dmp

Filesize
5.9MB

Download
memory/4996-180-0x0000000000000000-mapping.dmp

Download