Malware Analysis Report

2025-08-10 23:14

Sample ID 221031-1ybq5aded4
Target file.exe
SHA256 392590926787c60698fb55e152b0d66d575e466d9a5c1a246faeb4d495ccae35
Tags
smokeloader backdoor trojan djvu redline mario23_10 collection discovery infostealer persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

392590926787c60698fb55e152b0d66d575e466d9a5c1a246faeb4d495ccae35

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan djvu redline mario23_10 collection discovery infostealer persistence ransomware spyware stealer

RedLine

RedLine payload

Detected Djvu ransomware

Detects Smokeloader packer

SmokeLoader

Djvu Ransomware

Blocklisted process makes network request

Executes dropped EXE

Downloads MZ/PE file

Loads dropped DLL

Uses the VBS compiler for execution

Modifies file permissions

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Accesses 2FA software files, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

outlook_win_path

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:03

Reported

2022-10-31 22:05

Platform

win7-20220812-en

Max time kernel

150s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

N/A

Files

memory/536-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

memory/536-56-0x0000000000220000-0x0000000000229000-memory.dmp

memory/536-55-0x000000000064B000-0x000000000065C000-memory.dmp

memory/536-57-0x0000000000400000-0x0000000000598000-memory.dmp

memory/536-58-0x0000000000400000-0x0000000000598000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 22:03

Reported

2022-10-31 22:05

Platform

win10v2004-20220901-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\538F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D826.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5536.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5536.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D826.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\60a046ad-9b5f-4db2-970c-76f917d1593a\\5536.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5536.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\60F1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\538F.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D826.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5E70.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5E70.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5E70.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E70.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\538F.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 1404 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2440 wrote to memory of 1404 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1404 wrote to memory of 1904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1404 wrote to memory of 1904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1404 wrote to memory of 1904 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 4240 N/A N/A C:\Users\Admin\AppData\Local\Temp\538F.exe
PID 2440 wrote to memory of 4240 N/A N/A C:\Users\Admin\AppData\Local\Temp\538F.exe
PID 2440 wrote to memory of 4240 N/A N/A C:\Users\Admin\AppData\Local\Temp\538F.exe
PID 2440 wrote to memory of 176 N/A N/A C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2440 wrote to memory of 176 N/A N/A C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2440 wrote to memory of 176 N/A N/A C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2440 wrote to memory of 2400 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B04.exe
PID 2440 wrote to memory of 2400 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B04.exe
PID 2440 wrote to memory of 2400 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B04.exe
PID 2440 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\5E70.exe
PID 2440 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\5E70.exe
PID 2440 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\5E70.exe
PID 2400 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5B04.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2400 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5B04.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2400 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5B04.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2400 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5B04.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2440 wrote to memory of 3160 N/A N/A C:\Users\Admin\AppData\Local\Temp\60F1.exe
PID 2440 wrote to memory of 3160 N/A N/A C:\Users\Admin\AppData\Local\Temp\60F1.exe
PID 2440 wrote to memory of 3160 N/A N/A C:\Users\Admin\AppData\Local\Temp\60F1.exe
PID 2400 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\5B04.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2440 wrote to memory of 4996 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2440 wrote to memory of 4996 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2440 wrote to memory of 4996 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2440 wrote to memory of 4996 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 176 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2440 wrote to memory of 4364 N/A N/A C:\Windows\explorer.exe
PID 2440 wrote to memory of 4364 N/A N/A C:\Windows\explorer.exe
PID 2440 wrote to memory of 4364 N/A N/A C:\Windows\explorer.exe
PID 4388 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Windows\SysWOW64\icacls.exe
PID 4388 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Windows\SysWOW64\icacls.exe
PID 4388 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Windows\SysWOW64\icacls.exe
PID 4388 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 4388 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 4388 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 2328 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\Temp\5536.exe
PID 1700 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe
PID 1700 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe
PID 1700 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe
PID 1700 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build3.exe
PID 1700 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build3.exe
PID 1700 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\5536.exe C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build3.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5294.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\5294.dll

C:\Users\Admin\AppData\Local\Temp\538F.exe

C:\Users\Admin\AppData\Local\Temp\538F.exe

C:\Users\Admin\AppData\Local\Temp\5536.exe

C:\Users\Admin\AppData\Local\Temp\5536.exe

C:\Users\Admin\AppData\Local\Temp\5B04.exe

C:\Users\Admin\AppData\Local\Temp\5B04.exe

C:\Users\Admin\AppData\Local\Temp\5E70.exe

C:\Users\Admin\AppData\Local\Temp\5E70.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\60F1.exe

C:\Users\Admin\AppData\Local\Temp\60F1.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\5536.exe

C:\Users\Admin\AppData\Local\Temp\5536.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3160 -ip 3160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 340

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\60a046ad-9b5f-4db2-970c-76f917d1593a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5536.exe

"C:\Users\Admin\AppData\Local\Temp\5536.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5536.exe

"C:\Users\Admin\AppData\Local\Temp\5536.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe

"C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe"

C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build3.exe

"C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe

"C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4240 -ip 4240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1232

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\D826.exe

C:\Users\Admin\AppData\Local\Temp\D826.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1092

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1148

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1164

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 984

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1004

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1120

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 1128

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 484 -ip 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 1272

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1096

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 920

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1104

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 900

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1088

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 996

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1004

C:\Users\Admin\AppData\Local\Temp\D826.exe

"C:\Users\Admin\AppData\Local\Temp\D826.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2200 -ip 2200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5096 -ip 5096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5096 -ip 5096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5096 -ip 5096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 5096 -ip 5096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 920

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 furubujjul.net udp
DE 91.195.240.101:80 furubujjul.net tcp
US 8.8.8.8:53 starvestitibo.org udp
RU 193.106.191.15:80 starvestitibo.org tcp
US 8.8.8.8:53 shingroup.com udp
NL 185.220.204.64:443 shingroup.com tcp
US 20.189.173.15:443 tcp
FR 2.18.109.224:443 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 193.106.191.15:80 starvestitibo.org tcp
RU 78.153.144.3:2510 tcp
DE 167.235.252.160:10642 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 fresherlights.com udp
US 8.8.8.8:53 uaery.top udp
KR 222.236.49.124:80 uaery.top tcp
BG 151.251.24.5:80 fresherlights.com tcp
BG 151.251.24.5:80 fresherlights.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
FI 95.217.246.41:80 95.217.246.41 tcp
US 8.8.8.8:53 freeshmex.at udp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
CZ 146.19.173.31:80 146.19.173.31 tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
US 8.8.8.8:53 disk.yandex.ru udp
RU 87.250.250.50:443 disk.yandex.ru tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.138:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
NL 213.227.155.103:443 tcp
US 172.86.120.138:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.138:443 tcp

Files

memory/400-132-0x00000000007ED000-0x00000000007FE000-memory.dmp

memory/400-133-0x0000000000610000-0x0000000000619000-memory.dmp

memory/400-134-0x0000000000400000-0x0000000000598000-memory.dmp

memory/400-135-0x0000000000400000-0x0000000000598000-memory.dmp

memory/1404-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5294.dll

MD5 502e7330e6e1d55c1c65d496e9599d44
SHA1 00dbfa3c506ee2cce26882107fa262da8a83d392
SHA256 e485f007bfade595ea3b13742c1bf0da4f074edaaa65d8cf807796a18317b4f6
SHA512 bc7cf54cc991245980b127e1b643e9e28fb6377b26ffa6767736f50a02ef41e87ea744429e1f4c1a8ebad018f009ec7ab29d2c62cc469b460193b789c5ec87b7

memory/1904-138-0x0000000000000000-mapping.dmp

memory/4240-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\538F.exe

MD5 ae963f8d171481ec27f2a013b76026aa
SHA1 0f01cba183d6f76c899e5c72006edccb8dd933eb
SHA256 173d9fb69de0939d3266706ce44baf55669abdf1ca35b91236d84e1f4306f844
SHA512 27419c8081df94cb91ad03fd5d6789df5fbf1d6d6c2e1367b48155bef7447663b9234ed92da435d73d68488553fbf8587d1413be0c8c62268b33cef8cdb5c6df

C:\Users\Admin\AppData\Local\Temp\538F.exe

MD5 ae963f8d171481ec27f2a013b76026aa
SHA1 0f01cba183d6f76c899e5c72006edccb8dd933eb
SHA256 173d9fb69de0939d3266706ce44baf55669abdf1ca35b91236d84e1f4306f844
SHA512 27419c8081df94cb91ad03fd5d6789df5fbf1d6d6c2e1367b48155bef7447663b9234ed92da435d73d68488553fbf8587d1413be0c8c62268b33cef8cdb5c6df

memory/1904-144-0x00000000021A0000-0x0000000002321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5294.dll

MD5 502e7330e6e1d55c1c65d496e9599d44
SHA1 00dbfa3c506ee2cce26882107fa262da8a83d392
SHA256 e485f007bfade595ea3b13742c1bf0da4f074edaaa65d8cf807796a18317b4f6
SHA512 bc7cf54cc991245980b127e1b643e9e28fb6377b26ffa6767736f50a02ef41e87ea744429e1f4c1a8ebad018f009ec7ab29d2c62cc469b460193b789c5ec87b7

C:\Users\Admin\AppData\Local\Temp\5294.dll

MD5 502e7330e6e1d55c1c65d496e9599d44
SHA1 00dbfa3c506ee2cce26882107fa262da8a83d392
SHA256 e485f007bfade595ea3b13742c1bf0da4f074edaaa65d8cf807796a18317b4f6
SHA512 bc7cf54cc991245980b127e1b643e9e28fb6377b26ffa6767736f50a02ef41e87ea744429e1f4c1a8ebad018f009ec7ab29d2c62cc469b460193b789c5ec87b7

C:\Users\Admin\AppData\Local\Temp\5536.exe

MD5 bf35957e6b72a97dac143ff5ecb71e0b
SHA1 d168ee93fcd4ce2205988b8e155ed1b5df26299b
SHA256 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b
SHA512 e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f

memory/176-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5536.exe

MD5 bf35957e6b72a97dac143ff5ecb71e0b
SHA1 d168ee93fcd4ce2205988b8e155ed1b5df26299b
SHA256 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b
SHA512 e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f

memory/2400-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5B04.exe

MD5 7073e236f88852d96342eaf93c2c6ae8
SHA1 03bf4c34b994c6276c61fd3cc4813e8030b8ec69
SHA256 f1923024464e9c4629ce3606dfbc4dc64f60b66625e428807fcde56cb06e5e29
SHA512 966502891050edc46312566bb8664afd1e1b3f10a5306a531b8b9491df3a0d188fd96bc90f333d1b814a3fe3af5773c5ffa10515793090b2f4555fe326ddeaf7

memory/2188-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5B04.exe

MD5 7073e236f88852d96342eaf93c2c6ae8
SHA1 03bf4c34b994c6276c61fd3cc4813e8030b8ec69
SHA256 f1923024464e9c4629ce3606dfbc4dc64f60b66625e428807fcde56cb06e5e29
SHA512 966502891050edc46312566bb8664afd1e1b3f10a5306a531b8b9491df3a0d188fd96bc90f333d1b814a3fe3af5773c5ffa10515793090b2f4555fe326ddeaf7

memory/4392-154-0x0000000000000000-mapping.dmp

memory/4392-155-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E70.exe

MD5 b1c75c7ebd91a35d248b230fd0e1cef4
SHA1 8d41bf258efd590db945ce0ef173e12afb1060a1
SHA256 3d07e172347c7b5cede6b6c725db004ed4a88258a1204ed534391c87a5a5716d
SHA512 bd753abb64527f98c393d1c97361d39493a0b2955dd55848aab63683040cde07f9ce4e8cd68d32bcc8d9c68889d98c013d8102023652510a861be2a0695490de

C:\Users\Admin\AppData\Local\Temp\5E70.exe

MD5 b1c75c7ebd91a35d248b230fd0e1cef4
SHA1 8d41bf258efd590db945ce0ef173e12afb1060a1
SHA256 3d07e172347c7b5cede6b6c725db004ed4a88258a1204ed534391c87a5a5716d
SHA512 bd753abb64527f98c393d1c97361d39493a0b2955dd55848aab63683040cde07f9ce4e8cd68d32bcc8d9c68889d98c013d8102023652510a861be2a0695490de

memory/3160-157-0x0000000000000000-mapping.dmp

memory/4240-160-0x00000000020D0000-0x000000000210E000-memory.dmp

memory/4240-165-0x0000000000400000-0x00000000005B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60F1.exe

MD5 0429ffc783c6c4e2897966e485bdf9a3
SHA1 04aa9bb13bbd3f47b37ad38cdf289ab1127d1323
SHA256 d5241af9dd7e7fe48fc043b520f3366a806269d869d9add684bcb37d2582b1ad
SHA512 995b9d0c69607f12490f5ea23a863c303a87cbb4bab9bbe3326f7f1e0cd10c797e9fd825ef4d6b5c23924427286142ce94198b8fd0e3b397168af875d24eca07

C:\Users\Admin\AppData\Local\Temp\60F1.exe

MD5 0429ffc783c6c4e2897966e485bdf9a3
SHA1 04aa9bb13bbd3f47b37ad38cdf289ab1127d1323
SHA256 d5241af9dd7e7fe48fc043b520f3366a806269d869d9add684bcb37d2582b1ad
SHA512 995b9d0c69607f12490f5ea23a863c303a87cbb4bab9bbe3326f7f1e0cd10c797e9fd825ef4d6b5c23924427286142ce94198b8fd0e3b397168af875d24eca07

memory/4240-158-0x000000000084D000-0x000000000087E000-memory.dmp

memory/4996-166-0x0000000000000000-mapping.dmp

memory/4388-168-0x0000000000000000-mapping.dmp

memory/4240-169-0x0000000004BA0000-0x0000000004C32000-memory.dmp

memory/4364-175-0x0000000000000000-mapping.dmp

memory/4388-172-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5536.exe

MD5 bf35957e6b72a97dac143ff5ecb71e0b
SHA1 d168ee93fcd4ce2205988b8e155ed1b5df26299b
SHA256 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b
SHA512 e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f

memory/4388-170-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4240-167-0x0000000004CD0000-0x0000000005274000-memory.dmp

memory/4388-174-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4996-177-0x0000000001400000-0x0000000001475000-memory.dmp

memory/4996-178-0x0000000001170000-0x00000000011DB000-memory.dmp

memory/176-176-0x0000000002430000-0x000000000254B000-memory.dmp

memory/4364-180-0x0000000000B30000-0x0000000000B3C000-memory.dmp

memory/4392-179-0x0000000005780000-0x0000000005D98000-memory.dmp

memory/176-173-0x00000000022BA000-0x000000000234B000-memory.dmp

memory/4240-181-0x00000000052E0000-0x00000000053EA000-memory.dmp

memory/4240-182-0x0000000005410000-0x0000000005422000-memory.dmp

memory/4240-183-0x0000000005430000-0x000000000546C000-memory.dmp

memory/4388-184-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1904-185-0x0000000002880000-0x00000000029A0000-memory.dmp

memory/1904-186-0x0000000002AC0000-0x0000000002BE0000-memory.dmp

memory/2188-187-0x000000000072D000-0x000000000073E000-memory.dmp

memory/2188-188-0x0000000000610000-0x0000000000619000-memory.dmp

memory/4996-190-0x0000000001170000-0x00000000011DB000-memory.dmp

memory/2188-191-0x0000000000400000-0x0000000000598000-memory.dmp

memory/3160-192-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/3160-193-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4432-194-0x0000000000000000-mapping.dmp

memory/2188-195-0x0000000000400000-0x0000000000598000-memory.dmp

C:\Users\Admin\AppData\Local\60a046ad-9b5f-4db2-970c-76f917d1593a\5536.exe

MD5 bf35957e6b72a97dac143ff5ecb71e0b
SHA1 d168ee93fcd4ce2205988b8e155ed1b5df26299b
SHA256 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b
SHA512 e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f

C:\Users\Admin\AppData\Local\Temp\5536.exe

MD5 bf35957e6b72a97dac143ff5ecb71e0b
SHA1 d168ee93fcd4ce2205988b8e155ed1b5df26299b
SHA256 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b
SHA512 e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f

memory/4388-199-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2328-197-0x0000000000000000-mapping.dmp

memory/1904-200-0x0000000002BE0000-0x0000000002CAB000-memory.dmp

memory/4392-201-0x0000000005DA0000-0x0000000005E06000-memory.dmp

memory/1904-202-0x0000000002CB0000-0x0000000002D68000-memory.dmp

memory/1904-205-0x0000000002AC0000-0x0000000002BE0000-memory.dmp

memory/4392-206-0x0000000006660000-0x0000000006822000-memory.dmp

memory/1700-207-0x0000000000000000-mapping.dmp

memory/4240-211-0x0000000000400000-0x00000000005B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5536.exe

MD5 bf35957e6b72a97dac143ff5ecb71e0b
SHA1 d168ee93fcd4ce2205988b8e155ed1b5df26299b
SHA256 8650ba0e8dcaae7c1db4f083f4039a51f9432737ae89fe3e454bb619e3ae108b
SHA512 e3d1f725eef73428717323a6eaba1a85aa24e5ecf837641bbb32386217a0965b1646ede5bdd4442b860a144aedf8f85eec65ce75a593a154e5a1221a61decb9f

memory/1700-210-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1700-214-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2328-213-0x000000000077F000-0x0000000000810000-memory.dmp

memory/4392-212-0x0000000008A10000-0x0000000008F3C000-memory.dmp

memory/4240-215-0x0000000006550000-0x00000000065C6000-memory.dmp

memory/4240-216-0x00000000065F0000-0x0000000006640000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 1a295f69dfd5c6f54042f8bc5b31a6af
SHA1 d2b64e2902114ce584f382cbd78b06354b6b14f7
SHA256 b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55
SHA512 3ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 6161db15b06393d80d42afc1d6cf0b8e
SHA1 c8b09f369f5d3cb84da9da2dbb1201292c93d2ea
SHA256 c380989f3fcbff149bd3022c4f6868d3f6ee8e9732564de87b444260e32be940
SHA512 8dcf7a3f5ac2b303a58ee6f2ee042a395029a906d20a3968280db3b7ddae3fc04aae6d2e50344e4c4945e816e29b1e81a25d4108d192810a1e80f7b5f9323aae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 136889ac23008bfdfefb91c9e5d8a11d
SHA1 8343b8ef34dc565eda256e042b43064cb8017131
SHA256 35188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5
SHA512 b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 0d0ddf412c8c9de12be7828d06f30fd8
SHA1 cb1011798ec13f2c2cb302c9867ddd3383dd6057
SHA256 9ea0969f065d5fd08c291aeb5782a092f397e650cd54d5e80e86017ab50148ae
SHA512 9f1617858a0dd453943e641aaf77ab16ce6c572c9023ec937be99ca767a84cdd1c7be3f7497adca3aa833ec84bbfda2eb913d6d69ad3f45c9bd3bfc9a8db3cbb

memory/4240-221-0x000000000084D000-0x000000000087E000-memory.dmp

memory/1700-222-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1612-223-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe

MD5 efcd4db108fc262b0fba4f82692bfdf1
SHA1 5cc11f23b251c802e2e5497cc40d5702853e4f16
SHA256 1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976
SHA512 6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e

C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe

MD5 efcd4db108fc262b0fba4f82692bfdf1
SHA1 5cc11f23b251c802e2e5497cc40d5702853e4f16
SHA256 1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976
SHA512 6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e

memory/3408-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/484-229-0x0000000000000000-mapping.dmp

memory/4104-230-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\778d1180-f84d-4085-af45-38c5e81edb75\build2.exe

MD5 efcd4db108fc262b0fba4f82692bfdf1
SHA1 5cc11f23b251c802e2e5497cc40d5702853e4f16
SHA256 1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976
SHA512 6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e

memory/4104-231-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1612-234-0x00000000008D8000-0x0000000000905000-memory.dmp

memory/4104-236-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1612-235-0x0000000000840000-0x0000000000899000-memory.dmp

memory/4104-233-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4104-237-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4240-238-0x000000000084D000-0x000000000087E000-memory.dmp

memory/4240-239-0x0000000000400000-0x00000000005B8000-memory.dmp

C:\ProgramData\sqlite3.dll

MD5 1f44d4d3087c2b202cf9c90ee9d04b0f
SHA1 106a3ebc9e39ab6ddb3ff987efb6527c956f192d
SHA256 4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260
SHA512 b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1700-243-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4700-246-0x0000000000000000-mapping.dmp

memory/4212-247-0x0000000000000000-mapping.dmp

memory/4104-248-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1820-249-0x0000000000000000-mapping.dmp

memory/4900-250-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4900-253-0x0000000002AAA000-0x0000000003094000-memory.dmp

memory/4900-254-0x00000000030A0000-0x00000000036C0000-memory.dmp

memory/4900-255-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/4772-256-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4772-258-0x00000000029EB000-0x0000000002FD5000-memory.dmp

memory/4772-259-0x0000000000400000-0x0000000000B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/1576-260-0x0000000000000000-mapping.dmp

memory/4900-262-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/1576-263-0x0000000002878000-0x0000000002E62000-memory.dmp

memory/1576-264-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/4772-265-0x00000000029EB000-0x0000000002FD5000-memory.dmp

memory/4772-266-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/2200-267-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4412-269-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/1576-272-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/4412-273-0x0000000000400000-0x000000000074D000-memory.dmp

memory/4900-274-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/2200-275-0x0000000002922000-0x0000000002F0C000-memory.dmp

memory/2200-276-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/2328-277-0x0000000000000000-mapping.dmp

memory/2328-280-0x0000000001EE0000-0x000000000222D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/2328-281-0x0000000001EE0000-0x000000000222D000-memory.dmp

memory/4772-282-0x0000000000400000-0x0000000000B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/484-283-0x0000000000000000-mapping.dmp

memory/4412-285-0x0000000000400000-0x000000000074D000-memory.dmp

memory/4444-286-0x0000000000000000-mapping.dmp

memory/4444-289-0x0000000002270000-0x00000000025BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4456-295-0x0000000000000000-mapping.dmp

memory/4864-297-0x0000000000000000-mapping.dmp

memory/4864-300-0x0000000002120000-0x000000000246D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/2084-303-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/3660-310-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/3824-312-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/4424-319-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/2032-324-0x00000000020E0000-0x000000000242D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/2032-321-0x0000000000000000-mapping.dmp

memory/432-331-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/5028-333-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/4396-340-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4528-343-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/1956-349-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/1164-352-0x0000000000000000-mapping.dmp

memory/1164-355-0x00000000022B0000-0x00000000025FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/2200-360-0x0000000000000000-mapping.dmp

memory/4700-362-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/4700-365-0x0000000002070000-0x00000000023BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e

memory/5096-372-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D826.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/1884-374-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 1d3c3615cf925dca3c29167d1c505beb
SHA1 a94a33bef2e40c4f79e836b3532c6f551ae2d1b2
SHA256 edbfe9dc3479f78d6237c3b4fd4d8313bd7a7b3353eab64bbfd1665ae120af86
SHA512 5b02339985b6dc727bf4dca3dd46ce5706416f4e67009cd0c4b73a14cb6659c4e9b48293754d0f6379ce8b7ee1ebe680b65aca27cea6f29389f32b2d6732a37e