smokeloader | 53f419715676fad8ac085500d15be5f9b9998e37f147f70d7d342a0a9fad45cf

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

320KB
MD5

989f0118f0a47d477fc5df1177c66416
SHA1

99883ffc1654929595aabb58bdc2835afeac61fa
SHA256

53f419715676fad8ac085500d15be5f9b9998e37f147f70d7d342a0a9fad45cf
SHA512

19b2bf20c0e61673197b8b97cda479ea2d5a227feab57a4308165a1c8ee15c22d09d47de9ebdae1eb5b30bdbce0ebd74e025bf0f660319516cb986aea3a6793d
SSDEEP

3072:6uzrwjSqDxz5XwBdahPZz4wSzBA5RCyk1nfVm05pHjsKVggjcGkNIVqIE:1wjSqDA6hPZUBlAyD9A05pHN7ITsq

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/1560-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 18 IoCs

flow	pid	Process
56	1272	rundll32.exe
63	3616	rundll32.exe
66	3152	rundll32.exe
67	1272	rundll32.exe
73	3392	rundll32.exe
76	2100	rundll32.exe
78	3616	rundll32.exe
79	3152	rundll32.exe
80	3392	rundll32.exe
81	2100	rundll32.exe
82	4272	rundll32.exe
83	1004	rundll32.exe
84	4272	rundll32.exe
85	1900	rundll32.exe
86	1004	rundll32.exe
87	3432	rundll32.exe
88	1964	rundll32.exe
89	1900	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
1176	539E.exe
3712	539E.exe
2468	539E.exe
3964	539E.exe
3156	539E.exe
2768	539E.exe
1564	539E.exe
4296	539E.exe
4248	539E.exe
608	539E.exe
4312	539E.exe
392	539E.exe
3676	539E.exe
4348	539E.exe
3352	539E.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	539E.exe

Loads dropped DLL 28 IoCs

pid	Process
1272	rundll32.exe
1272	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3152	rundll32.exe
3152	rundll32.exe
3392	rundll32.exe
3392	rundll32.exe
2100	rundll32.exe
2100	rundll32.exe
456	rundll32.exe
456	rundll32.exe
4272	rundll32.exe
4272	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
4856	rundll32.exe
4856	rundll32.exe
1900	rundll32.exe
1900	rundll32.exe
3432	rundll32.exe
3432	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3664	1176	WerFault.exe	88
2592	1176	WerFault.exe	88
2488	1176	WerFault.exe	88
1148	1176	WerFault.exe	88
3516	1176	WerFault.exe	88
4164	1176	WerFault.exe	88
2900	1176	WerFault.exe	88
4528	1176	WerFault.exe	88
1476	3712	WerFault.exe	104
2420	3712	WerFault.exe	104
3584	3712	WerFault.exe	104
3372	3712	WerFault.exe	104
1060	3712	WerFault.exe	104
3300	3712	WerFault.exe	104
64	3712	WerFault.exe	104
3868	3712	WerFault.exe	104
3920	2468	WerFault.exe	121
3436	2468	WerFault.exe	121
4384	2468	WerFault.exe	121
2564	2468	WerFault.exe	121
4156	2468	WerFault.exe	121
1432	2468	WerFault.exe	121
4924	2468	WerFault.exe	121
4628	2468	WerFault.exe	121
212	2468	WerFault.exe	121
4640	1176	WerFault.exe	88
2024	3964	WerFault.exe	140
4200	3964	WerFault.exe	140
1112	3964	WerFault.exe	140
2236	3964	WerFault.exe	140
2368	3964	WerFault.exe	140
2052	3712	WerFault.exe	104
4724	3964	WerFault.exe	140
1468	3964	WerFault.exe	140
2420	3964	WerFault.exe	140
3372	3964	WerFault.exe	140
408	3964	WerFault.exe	140
1152	3156	WerFault.exe	165
3688	3156	WerFault.exe	165
532	3156	WerFault.exe	165
2128	3156	WerFault.exe	165
3504	3156	WerFault.exe	165
4448	3156	WerFault.exe	165
2344	3156	WerFault.exe	165
4880	3156	WerFault.exe	165
4892	3156	WerFault.exe	165
4972	2468	WerFault.exe	121
1944	2768	WerFault.exe	185
2340	2768	WerFault.exe	185
2024	2768	WerFault.exe	185
1740	2768	WerFault.exe	185
1768	2768	WerFault.exe	185
1764	2768	WerFault.exe	185
916	2768	WerFault.exe	185
3744	2768	WerFault.exe	185
924	2768	WerFault.exe	185
2212	1564	WerFault.exe	208
3372	1564	WerFault.exe	208
1736	1564	WerFault.exe	208
4456	1564	WerFault.exe	208
1756	1564	WerFault.exe	208
4516	1564	WerFault.exe	208
1760	1564	WerFault.exe	208
3504	1564	WerFault.exe	208

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1560	file.exe
1560	file.exe
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found
980	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
980	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1560	file.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found
Token: SeShutdownPrivilege	980	Process not Found
Token: SeCreatePagefilePrivilege	980	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1176	980	Process not Found	88
PID 980 wrote to memory of 1176	980	Process not Found	88
PID 980 wrote to memory of 1176	980	Process not Found	88
PID 1176 wrote to memory of 3712	1176	539E.exe	104
PID 1176 wrote to memory of 3712	1176	539E.exe	104
PID 1176 wrote to memory of 3712	1176	539E.exe	104
PID 3712 wrote to memory of 2468	3712	539E.exe	121
PID 3712 wrote to memory of 2468	3712	539E.exe	121
PID 3712 wrote to memory of 2468	3712	539E.exe	121
PID 2468 wrote to memory of 3964	2468	539E.exe	140
PID 2468 wrote to memory of 3964	2468	539E.exe	140
PID 2468 wrote to memory of 3964	2468	539E.exe	140
PID 1176 wrote to memory of 1272	1176	539E.exe	142
PID 1176 wrote to memory of 1272	1176	539E.exe	142
PID 1176 wrote to memory of 1272	1176	539E.exe	142
PID 3712 wrote to memory of 3616	3712	539E.exe	154
PID 3712 wrote to memory of 3616	3712	539E.exe	154
PID 3712 wrote to memory of 3616	3712	539E.exe	154
PID 3964 wrote to memory of 3156	3964	539E.exe	165
PID 3964 wrote to memory of 3156	3964	539E.exe	165
PID 3964 wrote to memory of 3156	3964	539E.exe	165
PID 3964 wrote to memory of 3152	3964	539E.exe	166
PID 3964 wrote to memory of 3152	3964	539E.exe	166
PID 3964 wrote to memory of 3152	3964	539E.exe	166
PID 3156 wrote to memory of 2768	3156	539E.exe	185
PID 3156 wrote to memory of 2768	3156	539E.exe	185
PID 3156 wrote to memory of 2768	3156	539E.exe	185
PID 3156 wrote to memory of 3392	3156	539E.exe	186
PID 3156 wrote to memory of 3392	3156	539E.exe	186
PID 3156 wrote to memory of 3392	3156	539E.exe	186
PID 2468 wrote to memory of 2100	2468	539E.exe	192
PID 2468 wrote to memory of 2100	2468	539E.exe	192
PID 2468 wrote to memory of 2100	2468	539E.exe	192
PID 2768 wrote to memory of 1564	2768	539E.exe	208
PID 2768 wrote to memory of 1564	2768	539E.exe	208
PID 2768 wrote to memory of 1564	2768	539E.exe	208
PID 2768 wrote to memory of 456	2768	539E.exe	209
PID 2768 wrote to memory of 456	2768	539E.exe	209
PID 2768 wrote to memory of 456	2768	539E.exe	209
PID 1564 wrote to memory of 4296	1564	539E.exe	228
PID 1564 wrote to memory of 4296	1564	539E.exe	228
PID 1564 wrote to memory of 4296	1564	539E.exe	228
PID 1564 wrote to memory of 4272	1564	539E.exe	229
PID 1564 wrote to memory of 4272	1564	539E.exe	229
PID 1564 wrote to memory of 4272	1564	539E.exe	229
PID 4296 wrote to memory of 4248	4296	539E.exe	248
PID 4296 wrote to memory of 4248	4296	539E.exe	248
PID 4296 wrote to memory of 4248	4296	539E.exe	248
PID 4296 wrote to memory of 1004	4296	539E.exe	249
PID 4296 wrote to memory of 1004	4296	539E.exe	249
PID 4296 wrote to memory of 1004	4296	539E.exe	249
PID 4248 wrote to memory of 608	4248	539E.exe	268
PID 4248 wrote to memory of 608	4248	539E.exe	268
PID 4248 wrote to memory of 608	4248	539E.exe	268
PID 4248 wrote to memory of 3304	4248	539E.exe	269
PID 4248 wrote to memory of 3304	4248	539E.exe	269
PID 4248 wrote to memory of 3304	4248	539E.exe	269
PID 608 wrote to memory of 4312	608	539E.exe	288
PID 608 wrote to memory of 4312	608	539E.exe	288
PID 608 wrote to memory of 4312	608	539E.exe	288
PID 608 wrote to memory of 4856	608	539E.exe	289
PID 608 wrote to memory of 4856	608	539E.exe	289
PID 608 wrote to memory of 4856	608	539E.exe	289
PID 4312 wrote to memory of 392	4312	539E.exe	308

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1560

C:\Users\Admin\AppData\Local\Temp\539E.exe
C:\Users\Admin\AppData\Local\Temp\539E.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 628
  2⤵
  - Program crash
  PID:3664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 916
  2⤵
  - Program crash
  PID:2592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 972
  2⤵
  - Program crash
  PID:2488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1096
  2⤵
  - Program crash
  PID:1148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1128
  2⤵
  - Program crash
  PID:3516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 896
  2⤵
  - Program crash
  PID:4164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1096
  2⤵
  - Program crash
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\539E.exe
  "C:\Users\Admin\AppData\Local\Temp\539E.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 600
    3⤵
    - Program crash
    PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1000
    3⤵
    - Program crash
    PID:2420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1008
    3⤵
    - Program crash
    PID:3584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1084
    3⤵
    - Program crash
    PID:3372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1092
    3⤵
    - Program crash
    PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1104
    3⤵
    - Program crash
    PID:3300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1128
    3⤵
    - Program crash
    PID:64
- - C:\Users\Admin\AppData\Local\Temp\539E.exe
    "C:\Users\Admin\AppData\Local\Temp\539E.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 600
      4⤵
      Program crash
      PID:3920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1044
      4⤵
      Program crash
      PID:3436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1052
      4⤵
      Program crash
      PID:4384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1052
      4⤵
      Program crash
      PID:2564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1088
      4⤵
      Program crash
      PID:4156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1072
      4⤵
      Program crash
      PID:1432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1108
      4⤵
      Program crash
      PID:4924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1064
      4⤵
      Program crash
      PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\539E.exe
      "C:\Users\Admin\AppData\Local\Temp\539E.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 600
        5⤵
        Program crash
        
        PID:2024
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 996
        5⤵
        Program crash
        
        PID:4200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1004
        5⤵
        Program crash
        
        PID:1112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1060
        5⤵
        Program crash
        
        PID:2236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1068
        5⤵
        Program crash
        
        PID:2368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1104
        5⤵
        Program crash
        
        PID:4724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1080
        5⤵
        Program crash
        
        PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1080
        5⤵
        Program crash
        
        PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 608
        6⤵
        Program crash
        
        PID:1152
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 996
        6⤵
        Program crash
        
        PID:3688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1004
        6⤵
        Program crash
        
        PID:532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1004
        6⤵
        Program crash
        
        PID:2128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1104
        6⤵
        Program crash
        
        PID:3504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1112
        6⤵
        Program crash
        
        PID:4448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1092
        6⤵
        Program crash
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 600
        7⤵
        Program crash
        
        PID:1944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 896
        7⤵
        Program crash
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 896
        7⤵
        Program crash
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 956
        7⤵
        Program crash
        
        PID:1740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1100
        7⤵
        Program crash
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1100
        7⤵
        Program crash
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1124
        7⤵
        Program crash
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 600
        8⤵
        Program crash
        
        PID:2212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 876
        8⤵
        Program crash
        
        PID:3372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1008
        8⤵
        Program crash
        
        PID:1736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1016
        8⤵
        Program crash
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1072
        8⤵
        Program crash
        
        PID:1756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1112
        8⤵
        Program crash
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1120
        8⤵
        Program crash
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 600
        9⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 996
        9⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1004
        9⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1076
        9⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1008
        9⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1112
        9⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1120
        9⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 472
        10⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 996
        10⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1072
        10⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1072
        10⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1004
        10⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1000
        10⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1120
        10⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 600
        11⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 940
        11⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 1084
        11⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 1112
        11⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 1120
        11⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 944
        11⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 1080
        11⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 600
        12⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 896
        12⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 896
        12⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 904
        12⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1080
        12⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1080
        12⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1072
        12⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 536
        13⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 884
        13⤵
        
        PID:864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 888
        13⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1076
        13⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 884
        13⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1116
        13⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 884
        13⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 608
        14⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 996
        14⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1004
        14⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1004
        14⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1064
        14⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1104
        14⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1148
        14⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 600
        15⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 996
        15⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1064
        15⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1072
        15⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1108
        15⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1116
        15⤵
        
        PID:408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1128
        15⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\539E.exe
        
        "C:\Users\Admin\AppData\Local\Temp\539E.exe"
        15⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 536
        16⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 996
        16⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1064
        16⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 1080
        16⤵
        
        PID:432
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        15⤵
        Loads dropped DLL
        
        PID:1992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 984
        15⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1136
        15⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        14⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 984
        14⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1116
        14⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        13⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 932
        13⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1160
        13⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        12⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1016
        12⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1104
        12⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        11⤵
        Loads dropped DLL
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 1004
        11⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 1136
        11⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        10⤵
        Loads dropped DLL
        
        PID:3304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 984
        10⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1168
        10⤵
        
        PID:64
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        9⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 984
        9⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1136
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        8⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 988
        8⤵
        Program crash
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1132
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        7⤵
        Loads dropped DLL
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1016
        7⤵
        Program crash
        
        PID:3744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1248
        7⤵
        Program crash
        
        PID:924
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3392
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 984
        6⤵
        Program crash
        
        PID:4880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1132
        6⤵
        Program crash
        
        PID:4892
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 984
        5⤵
        Program crash
        
        PID:3372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1160
        5⤵
        Program crash
        
        PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 984
      4⤵
      Program crash
      PID:212
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:2100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1068
      4⤵
      Program crash
      PID:4972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 988
    3⤵
    - Program crash
    PID:3868
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:3616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1148
    3⤵
    - Program crash
    PID:2052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1048
  2⤵
  - Program crash
  PID:4528
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1168
  2⤵
  - Program crash
  PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1176 -ip 1176
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1176 -ip 1176
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1176 -ip 1176
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1176 -ip 1176
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1176 -ip 1176
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1176 -ip 1176
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1176 -ip 1176
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1176 -ip 1176
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3712 -ip 3712
1⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3712 -ip 3712
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3712 -ip 3712
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3712 -ip 3712
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3712 -ip 3712
1⤵
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3712 -ip 3712
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3712 -ip 3712
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3712 -ip 3712
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2468 -ip 2468
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2468 -ip 2468
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2468 -ip 2468
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2468 -ip 2468
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2468 -ip 2468
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2468 -ip 2468
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2468 -ip 2468
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2468 -ip 2468
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2468 -ip 2468
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1176 -ip 1176
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3964 -ip 3964
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3964 -ip 3964
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3964 -ip 3964
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3964 -ip 3964
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3712 -ip 3712
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3964 -ip 3964
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3964 -ip 3964
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3964 -ip 3964
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3964 -ip 3964
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3964 -ip 3964
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3964 -ip 3964
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3156 -ip 3156
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3156 -ip 3156
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3156 -ip 3156
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3156 -ip 3156
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3156 -ip 3156
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3156 -ip 3156
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3156 -ip 3156
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3156 -ip 3156
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3156 -ip 3156
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2468 -ip 2468
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2768 -ip 2768
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2768 -ip 2768
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2768 -ip 2768
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2768 -ip 2768
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2768 -ip 2768
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2768 -ip 2768
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2768 -ip 2768
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2768 -ip 2768
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2768 -ip 2768
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1564 -ip 1564
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1564 -ip 1564
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1564 -ip 1564
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1564 -ip 1564
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1564 -ip 1564
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1564 -ip 1564
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1564 -ip 1564
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1564 -ip 1564
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1564 -ip 1564
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 4296 -ip 4296
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 4296 -ip 4296
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4296 -ip 4296
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4296 -ip 4296
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 4296 -ip 4296
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4296 -ip 4296
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 4296 -ip 4296
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4296 -ip 4296
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 4296 -ip 4296
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 4248 -ip 4248
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 4248 -ip 4248
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 4248 -ip 4248
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 4248 -ip 4248
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4248 -ip 4248
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4248 -ip 4248
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 4248 -ip 4248
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4248 -ip 4248
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4248 -ip 4248
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 608 -ip 608
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 608 -ip 608
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 608 -ip 608
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 608 -ip 608
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 608 -ip 608
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 608 -ip 608
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 608 -ip 608
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 608 -ip 608
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 608 -ip 608
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4312 -ip 4312
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4312 -ip 4312
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4312 -ip 4312
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4312 -ip 4312
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4312 -ip 4312
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4312 -ip 4312
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4312 -ip 4312
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4312 -ip 4312
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4312 -ip 4312
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 392 -ip 392
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 392 -ip 392
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 392 -ip 392
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 392 -ip 392
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 392 -ip 392
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 392 -ip 392
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 392 -ip 392
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 392 -ip 392
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 392 -ip 392
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3676 -ip 3676
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3676 -ip 3676
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3676 -ip 3676
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3676 -ip 3676
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3676 -ip 3676
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 3676 -ip 3676
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3676 -ip 3676
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 3676 -ip 3676
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 3676 -ip 3676
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4348 -ip 4348
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4348 -ip 4348
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4348 -ip 4348
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4348 -ip 4348
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4348 -ip 4348
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4348 -ip 4348
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4348 -ip 4348
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4348 -ip 4348
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 4348 -ip 4348
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 3352 -ip 3352
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3352 -ip 3352
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3352 -ip 3352
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3352 -ip 3352
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\539E.exe

Filesize
6.1MB

MD5
792e96f4a47992c59f46011fc0d4ebff

SHA1
49bebb8db96d3fb451653d82ad1b6256c1573c26

SHA256
53ef085e60ea4e48eecdb8656276a4ce32f5af9b7b0ff13afd8c59bdd81f0f79

SHA512
e9d5a94eb2da8e61b29388854f2b3ef35b446d0fa654cd6e1477e55a0ca262be756d993a578b670d1a6697b6a1fbce12f09f6551a7266739c527609a5346a1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
ca4801b53fba38653c9d971eab49d6bb

SHA1
d3ed71a2a0b07d7ffa24a39b8efc37c7cffcd106

SHA256
c42b3f35b7418cbe3f5a340afb0d2a8716bffd8a09346b8bbafb9f8c8a9fa97b

SHA512
780882b491b0100ad5a16a50bb19b07bb1b908ac3933a07e8a44e9c522b2309ef848f87ce490a36b140ac3ed254ba3cddf985d8482baabed4d1a97f335b93f59

Download Submit
memory/456-270-0x00000000028E0000-0x0000000002C2D000-memory.dmp

Filesize
3.3MB

Download
memory/456-250-0x00000000028E0000-0x0000000002C2D000-memory.dmp

Filesize
3.3MB

Download
memory/456-251-0x00000000028E0000-0x0000000002C2D000-memory.dmp

Filesize
3.3MB

Download
memory/980-222-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-225-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-265-0x00000000083C0000-0x00000000083D0000-memory.dmp

Filesize
64KB

Download
memory/980-264-0x00000000083C0000-0x00000000083D0000-memory.dmp

Filesize
64KB

Download
memory/980-159-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/980-154-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/980-257-0x00000000083B0000-0x00000000083C0000-memory.dmp

Filesize
64KB

Download
memory/980-153-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/980-152-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-136-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-137-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-151-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-150-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-243-0x00000000083C0000-0x00000000083D0000-memory.dmp

Filesize
64KB

Download
memory/980-244-0x00000000083C0000-0x00000000083D0000-memory.dmp

Filesize
64KB

Download
memory/980-242-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-138-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-139-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-140-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-241-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-141-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-142-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-143-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-240-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-239-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-238-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-237-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-232-0x00000000083C0000-0x00000000083D0000-memory.dmp

Filesize
64KB

Download
memory/980-236-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-144-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-145-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-235-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-146-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-233-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-147-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-148-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-149-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-220-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-221-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-234-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-223-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-158-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/980-227-0x00000000083B0000-0x00000000083C0000-memory.dmp

Filesize
64KB

Download
memory/980-228-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-226-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-230-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-231-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/980-229-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1004-276-0x00000000020D0000-0x000000000241D000-memory.dmp

Filesize
3.3MB

Download
memory/1004-277-0x00000000020D0000-0x000000000241D000-memory.dmp

Filesize
3.3MB

Download
memory/1176-169-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1176-160-0x0000000002979000-0x0000000002F63000-memory.dmp

Filesize
5.9MB

Download
memory/1176-161-0x0000000002F70000-0x0000000003590000-memory.dmp

Filesize
6.1MB

Download
memory/1176-162-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1176-181-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1272-191-0x00000000026F0000-0x0000000002A3D000-memory.dmp

Filesize
3.3MB

Download
memory/1272-179-0x00000000026F0000-0x0000000002A3D000-memory.dmp

Filesize
3.3MB

Download
memory/1272-180-0x00000000026F0000-0x0000000002A3D000-memory.dmp

Filesize
3.3MB

Download
memory/1560-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1560-135-0x0000000000400000-0x0000000002C3E000-memory.dmp

Filesize
40.2MB

Download
memory/1560-132-0x0000000002DE3000-0x0000000002DF8000-memory.dmp

Filesize
84KB

Download
memory/1560-134-0x0000000000400000-0x0000000002C3E000-memory.dmp

Filesize
40.2MB

Download
memory/1564-267-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1564-253-0x0000000002850000-0x0000000002E3A000-memory.dmp

Filesize
5.9MB

Download
memory/1564-254-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/1900-308-0x0000000002640000-0x000000000298D000-memory.dmp

Filesize
3.3MB

Download
memory/1964-331-0x0000000002650000-0x000000000299D000-memory.dmp

Filesize
3.3MB

Download
memory/1992-342-0x0000000002E10000-0x000000000315D000-memory.dmp

Filesize
3.3MB

Download
memory/2100-256-0x0000000002210000-0x000000000255D000-memory.dmp

Filesize
3.3MB

Download
memory/2100-212-0x0000000002210000-0x000000000255D000-memory.dmp

Filesize
3.3MB

Download
memory/2100-214-0x0000000002210000-0x000000000255D000-memory.dmp

Filesize
3.3MB

Download
memory/2468-171-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2468-170-0x00000000029AD000-0x0000000002F97000-memory.dmp

Filesize
5.9MB

Download
memory/2468-182-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2468-216-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2768-217-0x00000000028DB000-0x0000000002EC5000-memory.dmp

Filesize
5.9MB

Download
memory/2768-252-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/2768-218-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3152-219-0x0000000002BA0000-0x0000000002EED000-memory.dmp

Filesize
3.3MB

Download
memory/3152-198-0x0000000002BA0000-0x0000000002EED000-memory.dmp

Filesize
3.3MB

Download
memory/3152-197-0x0000000002BA0000-0x0000000002EED000-memory.dmp

Filesize
3.3MB

Download
memory/3156-200-0x00000000028AB000-0x0000000002E95000-memory.dmp

Filesize
5.9MB

Download
memory/3156-215-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3156-201-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3304-287-0x00000000029D0000-0x0000000002D1D000-memory.dmp

Filesize
3.3MB

Download
memory/3392-208-0x0000000002800000-0x0000000002B4D000-memory.dmp

Filesize
3.3MB

Download
memory/3392-255-0x0000000002800000-0x0000000002B4D000-memory.dmp

Filesize
3.3MB

Download
memory/3392-213-0x0000000002800000-0x0000000002B4D000-memory.dmp

Filesize
3.3MB

Download
memory/3432-320-0x0000000002740000-0x0000000002A8D000-memory.dmp

Filesize
3.3MB

Download
memory/3616-189-0x0000000002450000-0x000000000279D000-memory.dmp

Filesize
3.3MB

Download
memory/3616-204-0x0000000002450000-0x000000000279D000-memory.dmp

Filesize
3.3MB

Download
memory/3616-188-0x0000000002450000-0x000000000279D000-memory.dmp

Filesize
3.3MB

Download
memory/3712-166-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3712-172-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3712-190-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3712-165-0x000000000293E000-0x0000000002F28000-memory.dmp

Filesize
5.9MB

Download
memory/3964-184-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/3964-183-0x0000000002826000-0x0000000002E10000-memory.dmp

Filesize
5.9MB

Download
memory/3964-199-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4248-279-0x00000000027E7000-0x0000000002DD1000-memory.dmp

Filesize
5.9MB

Download
memory/4272-266-0x00000000028A0000-0x0000000002BED000-memory.dmp

Filesize
3.3MB

Download
memory/4272-263-0x00000000028A0000-0x0000000002BED000-memory.dmp

Filesize
3.3MB

Download
memory/4296-269-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4296-278-0x0000000000400000-0x0000000000B72000-memory.dmp

Filesize
7.4MB

Download
memory/4296-268-0x00000000028F9000-0x0000000002EE3000-memory.dmp

Filesize
5.9MB

Download
memory/4856-298-0x0000000002270000-0x00000000025BD000-memory.dmp

Filesize
3.3MB

Download