Malware Analysis Report

2024-10-23 21:19

Sample ID 220625-c8ad2sddf2
Target b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492
SHA256 b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492
Tags
hawkeye_reborn keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492

Threat Level: Known bad

The file b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492 was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn keylogger persistence spyware stealer trojan

HawkEye Reborn

NirSoft MailPassView

Nirsoft

NirSoft WebBrowserPassView

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 02:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 02:44

Reported

2022-06-25 03:00

Platform

win7-20220414-en

Max time kernel

203s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\invoice" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\invoice" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1760 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1760 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1760 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1760 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1760 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1760 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1160 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1112 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1112 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1112 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1112 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1112 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1112 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1112 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1160 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1160 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2020 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2020 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2020 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2020 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2020 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2020 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2020 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1160 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1160 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1160 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1160 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1160 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1160 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1160 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1160 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 1968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1412 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1412 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1412 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1412 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1412 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1412 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1412 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe

"C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\onjjrazd\onjjrazd.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6DE.tmp" "c:\Users\Admin\AppData\Local\Temp\onjjrazd\CSC32A1FEF64278474EA7D89AF9879E7B1.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0l4ckoqr\0l4ckoqr.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5ED3.tmp" "c:\Users\Admin\AppData\Local\Temp\0l4ckoqr\CSC3D230F341734A8E9EF9586285E5A8BF.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d1ze1q1b\d1ze1q1b.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAF5.tmp" "c:\Users\Admin\AppData\Local\Temp\d1ze1q1b\CSCB6EF175F6D51440DA617C42B45F1935.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1vcdgmuy\1vcdgmuy.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCD8.tmp" "c:\Users\Admin\AppData\Local\Temp\1vcdgmuy\CSC8FDB4677247B411A8DE45971AD70DE4B.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 680

Network

Country Destination Domain Proto
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/1760-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1160-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1160-62-0x00000000002B0000-0x00000000002BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxm

MD5 4b6dd3fa0fc4f3acddd93b3d4cdcfe87
SHA1 b6c2b6267a7103a8ba11698c7a8b19164e2332ea
SHA256 215b52ab5b3b5ce35de5b6a656fd6a614b9b1afffe0837a3679d28415eab6de5
SHA512 5e06e1e3f9837b3dcc6bae4cfb92552765193d8d283e0c1d3bfc552bf3fd20edcc3d8ecf47a2363e178a5fd1936f6c2afaffa2814c3946c1a9d14bc32953fff9

memory/1112-64-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\onjjrazd\onjjrazd.cmdline

MD5 3887a73f09161ac79355af87d3d96fd0
SHA1 6db1c9e8829a225ed97fb8480a45f6c21969a390
SHA256 b21ce18695d4889d4a0a222b84a95a978e848064efc35a5e099fa898650f1c3c
SHA512 e0af064ab2d7726d62cea8710f9968a035ce9e68a57ee61213aeef5b01b14ae29530fb05b72d3a50d22118ba00f778dc0dc38c5faef2b67b4869694c91ab22fd

\??\c:\Users\Admin\AppData\Local\Temp\onjjrazd\onjjrazd.0.cs

MD5 c4553a6c03961a891e252d294b9ddc9a
SHA1 e992302c0c55d53fdee7649d2a0b37f6a5d1e895
SHA256 72a239e00851771a77b50e21dd388e79f62bdf4ac4f35425f047477b04d26812
SHA512 8d36dcf23a3bd97bcc89c54d56e4a998e5ef1a70361d9ebade3b098125966276afd5ad15ff2efe5e1f5a8412ce6a9fe27280c25a56ad12799be89b8e0f082d35

memory/1396-68-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\onjjrazd\CSC32A1FEF64278474EA7D89AF9879E7B1.TMP

MD5 9631fdcea34305a82955fb69d0429ae1
SHA1 bf72e00fab80ce5f58770b4d9b76938e2bb02ca3
SHA256 f886389c55d483f6233ef89aacf8d2b30d14c3d7f657a238e84a31994e7252f5
SHA512 1bae592f2bd120ea581f256a43f73646762a6ff115f6c222199ff96433ad6c073058477dacbb9f0811eb48cabf587ede9a188dd892cb0010b41b9e2bf4ea7550

C:\Users\Admin\AppData\Local\Temp\RESF6DE.tmp

MD5 59448a0f14d08a56a3d21858480f5a83
SHA1 0d9b20d787c8b1aecc59d9deb57cf6de02d9af0b
SHA256 2f143feb7001fe40f4f6ec19ebf9343eab7564d6881a10eb90b59307e2b46cc3
SHA512 8e82c16f0a5f7d410f42451c606cf66b2a17f2cc1d2230f5732488b2c606cdbba1d7cab63e16ba340a08c5cd7851e39bef37ebede32313edf54691266df7d643

C:\Users\Admin\AppData\Local\Temp\onjjrazd\onjjrazd.dll

MD5 6bef077a0b8ce7db66861be7396088eb
SHA1 e2b8b5d0377dd8738077a9cbed6bf134d9282f03
SHA256 230f91e9da932b008fb9c093c15f00e252c23ebc3142b6ab808469437de72028
SHA512 ed4f15422cf2d7999b3ffdbeb74e1b36984c1beb961fafcb94202e60e578f8e5851df631913c1c14f062423abac027b76309cb6e657d8477af6d713282bad42c

memory/1160-73-0x00000000052B0000-0x000000000543E000-memory.dmp

memory/2020-74-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\0l4ckoqr\0l4ckoqr.cmdline

MD5 99124328e382517ac5ce9c38a137ca3e
SHA1 ec10b313b3f0caf839a9b99f51bba63386ffa872
SHA256 d2fe62cf51008e7a26f92bdb3d8f4eaa7750d1ec861d1bec382901df76b5cbb8
SHA512 d745face3559b83c6e81955d391021662a913b6c99681237aec85b0767896cd7e97247a7215e4f592df70b9d13aeb3c866bef103e9dd3737522bfcd9ffc4e78f

\??\c:\Users\Admin\AppData\Local\Temp\0l4ckoqr\0l4ckoqr.0.cs

MD5 c4553a6c03961a891e252d294b9ddc9a
SHA1 e992302c0c55d53fdee7649d2a0b37f6a5d1e895
SHA256 72a239e00851771a77b50e21dd388e79f62bdf4ac4f35425f047477b04d26812
SHA512 8d36dcf23a3bd97bcc89c54d56e4a998e5ef1a70361d9ebade3b098125966276afd5ad15ff2efe5e1f5a8412ce6a9fe27280c25a56ad12799be89b8e0f082d35

memory/1992-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RES5ED3.tmp

MD5 a33f805d3aba5862a2098067fc90351f
SHA1 2375a7779f620b4c71424c93eb98b4f2c6b5fb59
SHA256 32ba23f968ac63426647cc3ca543ed8af050c788b4d4960dbe50962d7daf387d
SHA512 280eccf2a9b20a96f22cc4ca833639038ce0a863eb50204021adca57d1ee2dc534053c085c110fb4212bbdfd0d8a6c22ab456260a2e3a176122cbb14edfe1c71

\??\c:\Users\Admin\AppData\Local\Temp\0l4ckoqr\CSC3D230F341734A8E9EF9586285E5A8BF.TMP

MD5 c8de334d6af50ab8688dac2c3aa27e16
SHA1 67aa1ccfe098f07abcd1c3a766b09b361b1ce617
SHA256 d02af19c15758843f844e88a20c43516191eea5bcbc8c55393dc7cf2374406ac
SHA512 357b2bdcb7c13022dda65f7a771b6bd75185559c72372c8ec795158884d76b8de6d6d014012bceb3fa6c313917609e276655b49fbed6e8d5687eda237780c289

C:\Users\Admin\AppData\Local\Temp\0l4ckoqr\0l4ckoqr.dll

MD5 55d59233acf83589ea98d2058a51012d
SHA1 5b3eb145264e5cac2be2dcdc0db580799271fc30
SHA256 adbc88c0b08899f700cd67037a75e7807407ad74010d526bf3dcf10fbdfb4d36
SHA512 9286d348d61eaea228ae120c05056d59b159e55ca91b0d1d06fe6788364967a0f2c1166b8f196cc9b57276776bdd15bcad54db233615cf8e535f0f4d956994b0

memory/1160-83-0x0000000005440000-0x00000000055CE000-memory.dmp

memory/1160-84-0x0000000004CB0000-0x0000000004D48000-memory.dmp

memory/1160-85-0x0000000000470000-0x0000000000473000-memory.dmp

memory/1224-86-0x000000000048B2BE-mapping.dmp

memory/1224-88-0x0000000000400000-0x0000000000490000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1968-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1224-94-0x0000000002540000-0x00000000025B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1412-95-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\d1ze1q1b\d1ze1q1b.cmdline

MD5 44952e22e0e4d4010a3374eb8939f394
SHA1 7dd9f983a3e24be0b8ddd815f4cb7f60f1d14d1f
SHA256 ef84fc2091ed42890d29bbbc23f959221ea88b131d09fe3b62886519af979b1e
SHA512 a4996ecfa72c737c1397f3551d5e1d508ab737eda108c06a6684cb8a916df6b2a5b84ed144000c135be8cea86c6538e5ae96a1fa6acbdf7f6b18200c6c0964db

\??\c:\Users\Admin\AppData\Local\Temp\d1ze1q1b\d1ze1q1b.0.cs

MD5 c4553a6c03961a891e252d294b9ddc9a
SHA1 e992302c0c55d53fdee7649d2a0b37f6a5d1e895
SHA256 72a239e00851771a77b50e21dd388e79f62bdf4ac4f35425f047477b04d26812
SHA512 8d36dcf23a3bd97bcc89c54d56e4a998e5ef1a70361d9ebade3b098125966276afd5ad15ff2efe5e1f5a8412ce6a9fe27280c25a56ad12799be89b8e0f082d35

memory/852-99-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\d1ze1q1b\CSCB6EF175F6D51440DA617C42B45F1935.TMP

MD5 2a27e93b34ef3c04759ffb4cf407cae7
SHA1 d9a5a6e9d3d88a081f4aa68299c684670e680914
SHA256 2fac5045419cb4705600eafce427ef966dffd7f4f49698a3ad532b195faf918d
SHA512 5c16729b8fb1fb41b665d113ff366a28701490431098348c49099f8c15949838c01e37029fcbde5dcd6c761656708fc5536fb7e2189383f80495564d5ada53e8

C:\Users\Admin\AppData\Local\Temp\RESDAF5.tmp

MD5 2dfd285064f97d3450e2cb29999e9a96
SHA1 65a22076822954cacdf7253601d42274ec929ac1
SHA256 55538df36d30a6bb994e65197d88e36091022eb330b23a579e1673faf832324e
SHA512 5f2e2c7e476d741f7624299a852a45d8e7027c655e53c45df8f7ef941d2478c1c5aaa8809338dc4878e5b66d71550be11924f9dc365dc867e862f1d0e75c6c2a

C:\Users\Admin\AppData\Local\Temp\d1ze1q1b\d1ze1q1b.dll

MD5 4d4f8c7e69b8aa83f70eecd2272be046
SHA1 3d47914f50cb4da4ba6dc9971ee33b09e774682d
SHA256 3367f3268098acde227900bd334ea2a5337b1f0a43b3d6840814f5ae164d8a37
SHA512 fbcdd136fc22d938d10a89fe3dba888fff24108891164ec46d2655d1c3a191ba39aae42515e16fe1faaa61f176a99acaeaaf68b53e7378af6f6bfa7ab731260d

memory/1968-104-0x0000000004E80000-0x000000000500E000-memory.dmp

memory/772-105-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\1vcdgmuy\1vcdgmuy.0.cs

MD5 c4553a6c03961a891e252d294b9ddc9a
SHA1 e992302c0c55d53fdee7649d2a0b37f6a5d1e895
SHA256 72a239e00851771a77b50e21dd388e79f62bdf4ac4f35425f047477b04d26812
SHA512 8d36dcf23a3bd97bcc89c54d56e4a998e5ef1a70361d9ebade3b098125966276afd5ad15ff2efe5e1f5a8412ce6a9fe27280c25a56ad12799be89b8e0f082d35

\??\c:\Users\Admin\AppData\Local\Temp\1vcdgmuy\1vcdgmuy.cmdline

MD5 be6819b87189d28111bd42f183f12484
SHA1 cf90f0cb4135a9212034537787b6263884f0e641
SHA256 fbe96a9f5a578a912cc37c13e1fe7698792ee3848db6c597b3b9c9f1d1bd7c9d
SHA512 e34c3a70f6e7bf22830621512456b64531001ad28cff92ca93fd0d06c7c29b1b77872d429d35eb88d448c9b450e459d16930d15e8f3e78780f042cef00d276b0

memory/1364-109-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\1vcdgmuy\CSC8FDB4677247B411A8DE45971AD70DE4B.TMP

MD5 a8cf49c400cec2c541075252ff781212
SHA1 731f1ddeec78ed56f53052eee861dd0e0fc480c3
SHA256 d6b2c3456525b848000f4b7f427fdec308396d3ad2ddee02b9ba6d06c418668e
SHA512 75cfbfdd7c9cc85a2c54855e5bceacf2d25a86293ffef59e87ac2c3cfb3620e94154b3ff8bf30d0dcbbf545d1da325b61f127710f8e2af3758954797dc43270a

C:\Users\Admin\AppData\Local\Temp\RESDCD8.tmp

MD5 5527f2376f75c3ba8912198da7fb2f0b
SHA1 5ba71ecd97a4f287a08b6606ce006010251578b3
SHA256 ad23e9321b75865035772dfa4591c1ded9de6af3ce1539afbc0b2b62af00a529
SHA512 000febb7029b7cc799333d602c5c412ac41c6cebbc58b2b5b21c21b6e47b40e37e08853505da8f9f66512332a77a29c52cae061ca5fe3274fef2d6fd115a2b81

C:\Users\Admin\AppData\Local\Temp\1vcdgmuy\1vcdgmuy.dll

MD5 84ef43cd4038dcbf4627ceeffe640ba9
SHA1 d8c3d47660ab33b495ccc04ebcd2c7bd3328797f
SHA256 4a58f74dcc4610840dfb0b7de449b5eb25c3d4c8e41a6b84721f6f090ca309f6
SHA512 c21fab454b4daaae85f903050b9a1a8aa784c66ae8cdf8c88059fe194bb106714321431997384424fc92be14baac427eb58e2e3a29f8413dc37feda6e21987ac

memory/1968-114-0x0000000005010000-0x000000000519E000-memory.dmp

memory/2032-115-0x000000000048B2BE-mapping.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/972-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1788-122-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 02:44

Reported

2022-06-25 02:58

Platform

win10v2004-20220414-en

Max time kernel

191s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\invoice" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Roaming\\invoice" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3268 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 3268 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 3268 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4872 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4872 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4872 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4600 wrote to memory of 1480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4600 wrote to memory of 1480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4600 wrote to memory of 1480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4872 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4872 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4872 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1464 wrote to memory of 1444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1464 wrote to memory of 1444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1464 wrote to memory of 1444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4872 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4872 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4872 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4872 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4776 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4776 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4756 wrote to memory of 344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4756 wrote to memory of 344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4756 wrote to memory of 344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4776 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4776 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4776 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1400 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1400 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1400 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4776 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4776 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4776 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4776 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4776 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4776 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4776 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4776 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe
PID 4776 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe

"C:\Users\Admin\AppData\Local\Temp\b008c96b1ba6c13c4e922202baad57e199d9dee32a97a1443548c8a0ca303492.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m0oo0tji\m0oo0tji.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37D9.tmp" "c:\Users\Admin\AppData\Local\Temp\m0oo0tji\CSC4166822F22AC46258777C117FD157A71.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pyhj1uym\pyhj1uym.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A4A.tmp" "c:\Users\Admin\AppData\Local\Temp\pyhj1uym\CSC9B4593F63C4C40E5B5D0C84BE58D336B.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fctf4pkm\fctf4pkm.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C56.tmp" "c:\Users\Admin\AppData\Local\Temp\fctf4pkm\CSCC9C86727546049D6BFB9AEAA648887E4.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x3dwgaw1\x3dwgaw1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E1B.tmp" "c:\Users\Admin\AppData\Local\Temp\x3dwgaw1\CSCB487208478FE42C1B7C67C9EB3E6A915.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3664 -ip 3664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1556 -ip 1556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1752 -ip 1752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3088 -ip 3088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4340 -ip 4340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2916 -ip 2916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4056 -ip 4056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3372 -ip 3372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4300 -ip 4300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3748 -ip 3748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3496 -ip 3496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3208 -ip 3208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4144 -ip 4144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2884 -ip 2884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2004 -ip 2004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3324 -ip 3324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4896 -ip 4896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3828 -ip 3828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1268 -ip 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3924 -ip 3924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3320 -ip 3320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1136 -ip 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2952 -ip 2952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4596 -ip 4596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2352 -ip 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3716 -ip 3716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1844 -ip 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2416 -ip 2416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3176 -ip 3176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2436 -ip 2436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4756 -ip 4756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 3772 -ip 3772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1268 -ip 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 2016 -ip 2016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4644 -ip 4644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 4796 -ip 4796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 3748 -ip 3748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 460 -ip 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 2252 -ip 2252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 4596 -ip 4596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 1100 -ip 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 3036 -ip 3036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 1988 -ip 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 2704 -ip 2704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 4588 -ip 4588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 3324 -ip 3324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 1300 -ip 1300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 1872 -ip 1872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 332 -ip 332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4156 -ip 4156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 1308 -ip 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 2604 -ip 2604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 2412 -ip 2412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3728 -ip 3728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 1568 -ip 1568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 1724 -ip 1724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 964

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
IE 13.69.239.73:443 tcp
US 93.184.220.29:80 tcp
US 8.238.111.254:80 tcp
US 8.238.111.254:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4872-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4872-133-0x00000000005C0000-0x00000000005CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxm

MD5 4b6dd3fa0fc4f3acddd93b3d4cdcfe87
SHA1 b6c2b6267a7103a8ba11698c7a8b19164e2332ea
SHA256 215b52ab5b3b5ce35de5b6a656fd6a614b9b1afffe0837a3679d28415eab6de5
SHA512 5e06e1e3f9837b3dcc6bae4cfb92552765193d8d283e0c1d3bfc552bf3fd20edcc3d8ecf47a2363e178a5fd1936f6c2afaffa2814c3946c1a9d14bc32953fff9

memory/4600-135-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\m0oo0tji\m0oo0tji.cmdline

MD5 1343e431f5236c231ea3fb2c773c519b
SHA1 cafd9f5ee8e1522173e33ada25a485ae161bcfc9
SHA256 d7df4674f3c0084cb67b0f9bc75bc9f9e018bcd25f62c8930379fb65b9d6c585
SHA512 e61fad0456a9316102478227205c8e65fbcd989735098d593b142e3255a48f630e6ea297146da46bba0211ddd05a8676c028b2f2950358fdc02e4edd5ec20d2b

\??\c:\Users\Admin\AppData\Local\Temp\m0oo0tji\m0oo0tji.0.cs

MD5 c4553a6c03961a891e252d294b9ddc9a
SHA1 e992302c0c55d53fdee7649d2a0b37f6a5d1e895
SHA256 72a239e00851771a77b50e21dd388e79f62bdf4ac4f35425f047477b04d26812
SHA512 8d36dcf23a3bd97bcc89c54d56e4a998e5ef1a70361d9ebade3b098125966276afd5ad15ff2efe5e1f5a8412ce6a9fe27280c25a56ad12799be89b8e0f082d35

memory/1480-138-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\m0oo0tji\CSC4166822F22AC46258777C117FD157A71.TMP

MD5 ae3fc256d8cdb3530e81bc32964ae400
SHA1 8556e29bff7c967c485e9b041981634dd392aca0
SHA256 8b67ee82a0324072dd9ab83914e9edf34067674eb9a77ed53c6ba6b4c7cf48ac
SHA512 0c490ca88d8395b8294e8f2e535fd903060b3fff0f6bc8a0b91a04350c12e1905aedf1fd722ab2e46a9a79f2e36856a708044251ca595951d44158903394b0f8

C:\Users\Admin\AppData\Local\Temp\RES37D9.tmp

MD5 10cc624dff6569d79159ea6861e17d39
SHA1 e6f1a82d0e51ebb7b29990db350dc7f5acdbe868
SHA256 a9688ee5c75d532edc890f137d3dc2988df4369efe896928fdec621f5109dc0a
SHA512 15882d55901d68786281c1a9475d9319328548290bfc02e6a900d4aac1e007e983f83fd12e6a91cb98c6eda43a12897914332029664f1ea7d8effd322f2b4062

C:\Users\Admin\AppData\Local\Temp\m0oo0tji\m0oo0tji.dll

MD5 b20da6c1ff69cc9f430eee2e04b9affb
SHA1 ab9c9bd9608a6e163f5ea7bf595fc7d7face12dd
SHA256 f074b853b2338a713aa11eee27debc425db03529e2008225e0ce48f80f0305fd
SHA512 295a42e23d4b0d99c1015bbf21acc4656a09946bc6a908f3228d941dd501de4d9400474c348b35758e3519985165c5fc51678951a49047228c20d7e2a6f81ce1

memory/1464-142-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pyhj1uym\pyhj1uym.cmdline

MD5 c1b641b19ac16b97fa483bf0f23310f1
SHA1 09f7fbc5aa1319ea8d8a80ff57c95b1f06bda7ba
SHA256 372ff60e2ad26d6f9220c2e6d5c9a1a3be12468fe5f9d85031391e7f4bb1a035
SHA512 b4bc581e852787d6e6aba043edc7ed17f5aa7a3f65f6c904766fa77a34e22eb9db61a38ab16a51920b089d4f392af814bdf3f18d68c282a134db622706e7058e

\??\c:\Users\Admin\AppData\Local\Temp\pyhj1uym\pyhj1uym.0.cs

MD5 c4553a6c03961a891e252d294b9ddc9a
SHA1 e992302c0c55d53fdee7649d2a0b37f6a5d1e895
SHA256 72a239e00851771a77b50e21dd388e79f62bdf4ac4f35425f047477b04d26812
SHA512 8d36dcf23a3bd97bcc89c54d56e4a998e5ef1a70361d9ebade3b098125966276afd5ad15ff2efe5e1f5a8412ce6a9fe27280c25a56ad12799be89b8e0f082d35

memory/1444-145-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pyhj1uym\CSC9B4593F63C4C40E5B5D0C84BE58D336B.TMP

MD5 563946ef55d511aabec3c11b6727cdf2
SHA1 8ae88f4ab8328f10a2d335f0e91d964d4356f3e3
SHA256 661300af5d4cb7c796c18e646bceb9857177513bfab834f1899dd4a3f96696d4
SHA512 f358a93afa16170a8322b1f480e5f7639e1169cb8e3f4c1dfd5edb11461cef9ebc19774dc9608a9c8ce425bf8c0677afa057b7034c70ad211803e6824a2c729b

C:\Users\Admin\AppData\Local\Temp\RES3A4A.tmp

MD5 77f37e5827b39ddaf9831d0699813ca4
SHA1 2953a6dcaf1d9146f2c26620ca96ee0037643c89
SHA256 bfae8b73dfbc360e39b995ad05e0f49d3952eb0a83ab4ac25f7bb97870810ff7
SHA512 f2b2db45dc7aac140c42b781535c58a9613842bdabe6b8738e0492c3ada6078519d735a93685a9d3109dcbe775f496ec842efdbf93ac3b9b053ba3639a39a229

C:\Users\Admin\AppData\Local\Temp\pyhj1uym\pyhj1uym.dll

MD5 1bf61c9145846c61ef7ea178f6349723
SHA1 c5182aa4eb946040e91eb4d0c3a12fe4c2a78975
SHA256 f730c8e546625cad0025a1d201817a5a597fbbbd2d57d6864990f7beb31aa3d2
SHA512 79329d9a0bdf279562b58400b8b54bca708a9c14e4034da4cad8cdaec6e74099f0aad787d55f29718067b152ae149d52f50c876d9851f7105599b55f079a3375

memory/928-149-0x0000000000000000-mapping.dmp

memory/928-150-0x0000000000400000-0x0000000000490000-memory.dmp

memory/928-151-0x0000000009E10000-0x000000000A3B4000-memory.dmp

memory/928-152-0x0000000009A00000-0x0000000009A9C000-memory.dmp

memory/4872-153-0x0000000005120000-0x0000000005123000-memory.dmp

memory/4776-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4756-156-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fctf4pkm\fctf4pkm.cmdline

MD5 ba6ba8005a099ddfa786ddb147967f09
SHA1 03bbdc70581813c47df66c9a1a1cdd56bd385ada
SHA256 48be4e2422a7e227d23dd6873cf2db55dd07f973e29bc2a0dd86b7649f2e1bc0
SHA512 fe55c93fc45a6a107e56635b18dacb08b293b6d59585ced45fe9b040634840937e574c5a2ba718e47d7f706f4755c34887673cee1bda352d1ed75eb4c6a7c997

\??\c:\Users\Admin\AppData\Local\Temp\fctf4pkm\fctf4pkm.0.cs

MD5 c4553a6c03961a891e252d294b9ddc9a
SHA1 e992302c0c55d53fdee7649d2a0b37f6a5d1e895
SHA256 72a239e00851771a77b50e21dd388e79f62bdf4ac4f35425f047477b04d26812
SHA512 8d36dcf23a3bd97bcc89c54d56e4a998e5ef1a70361d9ebade3b098125966276afd5ad15ff2efe5e1f5a8412ce6a9fe27280c25a56ad12799be89b8e0f082d35

memory/344-159-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fctf4pkm\CSCC9C86727546049D6BFB9AEAA648887E4.TMP

MD5 dd2bcc96c2ff57615808058e83b5af1b
SHA1 554fc538490f4d3132f96a2e51730c75d06a2272
SHA256 2aeb962a4b4c8afe8f98159cfea12a64772cf239b5e994011cb5b056bc1fcc79
SHA512 3222cc4401559700cdf9aa3d22fe806dacbe44bb33ba63c6ecfd442155a8a666989ef5b434208ce3c05563e84e3ea6870286665013b80de19a51edf7b2eb3d86

C:\Users\Admin\AppData\Local\Temp\RES6C56.tmp

MD5 1051f7f2bae598fc1b3bdecb59b033a4
SHA1 328110cd58809d73cd215dce0e35e0864a6b814f
SHA256 7f63a8a81bd4965d8795abaa98e143368e54c110aee8eea09cd2af3f84fc5db9
SHA512 2a429e1e1e5f17af0ddac50ab0fe0a1f9778d4f0850996499be76591c8ee0793d2406bd70910886ae2e8358cce8b8585a202316162c14dd0786088fc1f1f6a2a

C:\Users\Admin\AppData\Local\Temp\fctf4pkm\fctf4pkm.dll

MD5 5561e25ec4ef8bd589f875f87cf79366
SHA1 852037b38eeb627f944ce764aed3c7da7899460a
SHA256 a41e9119fed81c6e76aa6354a1eb1f0585bdac1fda5545a9023eed02d845c0c3
SHA512 96b9192bbb4695d8d282c539a4af0ae03c0a54d2623d4ac4cc73ae76e1419c427e7e7efca4df5f6981f3eb8b4d9ef1863e3d2ec6484788ec6574404356556979

memory/1400-163-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\x3dwgaw1\x3dwgaw1.cmdline

MD5 58a75109d063d561109ecc372f2c81dd
SHA1 1662273b4e9784febd90662890bca6bb0303f841
SHA256 e141f05dca8f0e1c292a2dc4ea8d776498daabb190efa9a6503ae9e9450894a4
SHA512 80dbf79df8ff923cbfb8beac8bd2b9ab39556fc1e9239dc2847bfef86359d00862aa425f3a0ee280f009eeaaac63c4e6247cad9e117e6d1b28543b200976b27c

\??\c:\Users\Admin\AppData\Local\Temp\x3dwgaw1\x3dwgaw1.0.cs

MD5 c4553a6c03961a891e252d294b9ddc9a
SHA1 e992302c0c55d53fdee7649d2a0b37f6a5d1e895
SHA256 72a239e00851771a77b50e21dd388e79f62bdf4ac4f35425f047477b04d26812
SHA512 8d36dcf23a3bd97bcc89c54d56e4a998e5ef1a70361d9ebade3b098125966276afd5ad15ff2efe5e1f5a8412ce6a9fe27280c25a56ad12799be89b8e0f082d35

memory/3248-166-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\x3dwgaw1\CSCB487208478FE42C1B7C67C9EB3E6A915.TMP

MD5 5f6ec254fa4e41070ba5300ca66a8430
SHA1 a67b545ff11a532c9f3e06f8b07208faac034f8e
SHA256 3226755a6df47fe96fe4c9d63fb207b6c11e5985374ae976a2f81ca3b5b7e598
SHA512 909ae7bad6e57b61211edbc071dbdcebf170bd889a11d8724e7e7b5e3c4a374d9c73e0b1809fcffa1aa36a430a61952c7f7b7970bf60b1a8e3b8753fd6f4c3bd

C:\Users\Admin\AppData\Local\Temp\RES6E1B.tmp

MD5 35d5d79bda62d703770c8ec17efb5f9d
SHA1 edbfdec8ee3c5c4f6addeaac4b227cdcebf96fd7
SHA256 6f36131cc6c5dde1f13774d80a2a0e7e754b719ea7d70ba9bfb31cb0de00fd72
SHA512 ae01aa53d83e2f289c7b942a3245f658d885e491b517cdd78ff4698a674495261751272cf3992fa19ff257400cd48d6a07c8629252b4bb2fc43e98eeb113e131

C:\Users\Admin\AppData\Local\Temp\x3dwgaw1\x3dwgaw1.dll

MD5 c31677f7d2e8b1bcca1a5d609fa88fde
SHA1 b84ab5f20b89225c3f1ec990b27de2b634d4336f
SHA256 fb5ecd8fcd767efe091ab5b66df3a01a37ac5c7950e595b32e1e0c95acc20df7
SHA512 440b7da3197b4f85e0a48f15a26ac2bef41a48ff3e49425df2b7d114db74c2907b5d88bc3aa71706e52c18f114116e46721dfc4e3737b5fa075b2783e7e93b6d

memory/3860-170-0x0000000000000000-mapping.dmp

memory/3664-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/928-173-0x0000000005450000-0x00000000054B6000-memory.dmp

memory/3860-174-0x0000000005950000-0x00000000059E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ff42f15e-b3db-5f33-0e61-435e9087521a

MD5 0e94f508a7733660f34dd8bdee3498be
SHA1 3ff9062790b9b2e5db956f1c5f76437db41a4872
SHA256 557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116
SHA512 0f7ee5f3cffaa91c7588d23e4edc2cfb0605177d3d8ccbfe48f5f46e88ce350d55dc7f594d8acd2984976fa242e337454068585aadbe14dde85b9015ec96bd5a

memory/4388-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/2040-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1556-180-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/5000-182-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1752-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3088-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4340-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/2916-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4940-192-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4056-194-0x0000000000000000-mapping.dmp

memory/3372-196-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4192-198-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4216-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4960-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4300-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3748-206-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3496-208-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3208-210-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4144-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/2884-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/2628-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/2004-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4456-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3324-222-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4896-224-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3280-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4976-228-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/5008-230-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4848-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3828-234-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1268-236-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3924-238-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3320-240-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/1136-242-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/2952-244-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/64-246-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/4596-248-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/2352-250-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HPXmmgLUSavYuccxma5.exe

MD5 af744c4398b9d3cfd8be3946d03d4702
SHA1 5ff999e469c822807a08a247e3ba8b767c0e24e3
SHA256 6f097cb9fca1fac4affbfbffcdb85c25b719a225ff83b8ed33c0cfb52b217638
SHA512 d66fa82c163ad16cbd146a95e6cfbef6b0051b5b5c52052080c8b3acaf45b8c340ff934959a71ed99d1e906405dd2bb9fb21d49a7fe69c8aadb0933ca176bcc5

memory/3716-252-0x0000000000000000-mapping.dmp

memory/1844-253-0x0000000000000000-mapping.dmp

memory/2416-254-0x0000000000000000-mapping.dmp

memory/3176-255-0x0000000000000000-mapping.dmp

memory/3732-256-0x0000000000000000-mapping.dmp

memory/4348-257-0x0000000000000000-mapping.dmp

memory/3172-258-0x0000000000000000-mapping.dmp

memory/2436-259-0x0000000000000000-mapping.dmp

memory/4976-260-0x0000000000000000-mapping.dmp

memory/4756-261-0x0000000000000000-mapping.dmp

memory/4848-262-0x0000000000000000-mapping.dmp

memory/3772-263-0x0000000000000000-mapping.dmp

memory/1268-264-0x0000000000000000-mapping.dmp