Malware Analysis Report

2025-08-10 23:14

Sample ID 221031-1zgnrsedej
Target file.exe
SHA256 ea56c4e31c9ae3e2b25b8f2886cbfb8b26ab3ba79df0261237a6983b04705114
Tags
smokeloader backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea56c4e31c9ae3e2b25b8f2886cbfb8b26ab3ba79df0261237a6983b04705114

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan

Detects Smokeloader packer

SmokeLoader

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:05

Reported

2022-10-31 22:07

Platform

win7-20220812-en

Max time kernel

151s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

N/A

Files

memory/1684-54-0x0000000076401000-0x0000000076403000-memory.dmp

memory/1684-56-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1684-55-0x00000000009FB000-0x0000000000A0C000-memory.dmp

memory/1684-57-0x0000000000400000-0x0000000000598000-memory.dmp

memory/1684-58-0x0000000000400000-0x0000000000598000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 22:05

Reported

2022-10-31 22:07

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DAF3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 724 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 724 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 724 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1948 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1948 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1948 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 2312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 2312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 2312 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 816 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 816 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 816 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 816 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 816 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 816 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 2312 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 5020 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 5020 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 5020 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1952 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1952 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1952 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 2392 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 2392 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 2392 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 4448 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 4448 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 4448 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1924 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1924 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1924 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 1924 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1924 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 1924 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 4404 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 4404 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 4404 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 4404 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 4404 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 4404 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 4044 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 4044 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\DAF3.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe
PID 4044 wrote to memory of 3520 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 3520 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe
PID 4044 wrote to memory of 3520 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe
PID 3864 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DAF3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1152

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1068

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1128

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1104

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 816 -ip 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1112

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2312 -ip 2312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5020 -ip 5020

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 984

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1160

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1952 -ip 1952

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1952 -ip 1952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2392 -ip 2392

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4448 -ip 4448

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1016

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1088

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1180

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4044 -ip 4044

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3864 -ip 3864

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 984

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 984

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4752 -ip 4752

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1088

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1932 -ip 1932

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1008

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 2644 -ip 2644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1020

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1016

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 888

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3148 -ip 3148

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3148 -ip 3148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1124

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4584 -ip 4584

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4720 -ip 4720

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1100

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4804 -ip 4804

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1116

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1040 -ip 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 896

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 3724 -ip 3724

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3724 -ip 3724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1156

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1016

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 2744 -ip 2744

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
US 8.8.8.8:53 freeshmex.at udp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
CZ 146.19.173.31:80 146.19.173.31 tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
US 8.8.8.8:53 disk.yandex.ru udp
RU 87.250.250.50:443 disk.yandex.ru tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
DE 51.116.253.170:443 tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
SA 31.167.195.177:80 freeshmex.at tcp
US 172.86.120.215:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
US 93.184.220.29:80 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.138:443 tcp
MY 103.187.26.147:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.138:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
NL 213.227.155.103:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.215:443 tcp
NL 213.227.155.103:443 tcp
NL 213.227.155.103:443 tcp
US 172.86.120.215:443 tcp
NL 213.227.155.103:443 tcp
US 172.86.120.138:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.138:443 tcp
NL 213.227.155.103:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
NL 213.227.155.103:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
NL 213.227.155.103:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.138:443 tcp
MY 103.187.26.147:443 tcp
NL 213.227.155.103:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.138:443 tcp
MY 103.187.26.147:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.138:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
NL 213.227.155.103:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.215:443 tcp
US 172.86.120.138:443 tcp
NL 213.227.155.103:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.138:443 tcp
US 172.86.120.215:443 tcp
MY 103.187.26.147:443 tcp
MY 103.187.26.147:443 tcp
US 172.86.120.138:443 tcp
MY 103.187.26.147:443 tcp
MY 103.187.26.147:443 tcp
MY 103.187.26.147:443 tcp

Files

memory/4820-132-0x000000000084D000-0x000000000085E000-memory.dmp

memory/4820-133-0x00000000006E0000-0x00000000006E9000-memory.dmp

memory/4820-134-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4820-135-0x0000000000400000-0x0000000000598000-memory.dmp

memory/1948-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/1948-139-0x0000000002AFA000-0x00000000030E4000-memory.dmp

memory/1948-140-0x00000000030F0000-0x0000000003710000-memory.dmp

memory/1948-141-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/2312-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/2312-144-0x00000000028FB000-0x0000000002EE5000-memory.dmp

memory/2312-145-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/816-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/816-148-0x00000000028D1000-0x0000000002EBB000-memory.dmp

memory/816-149-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/1948-150-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/3000-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/3000-155-0x0000000002400000-0x000000000274D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/1948-156-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/2312-157-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/3000-158-0x0000000002400000-0x000000000274D000-memory.dmp

memory/5020-159-0x0000000000000000-mapping.dmp

memory/3824-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/3824-164-0x0000000001F80000-0x00000000022CD000-memory.dmp

memory/3824-165-0x0000000001F80000-0x00000000022CD000-memory.dmp

memory/5020-166-0x00000000028B7000-0x0000000002EA1000-memory.dmp

memory/5020-167-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/816-168-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/4092-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/4092-172-0x0000000001FF0000-0x000000000233D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/2312-173-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/4092-174-0x0000000001FF0000-0x000000000233D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/1952-175-0x0000000000000000-mapping.dmp

memory/3720-180-0x0000000002030000-0x000000000237D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/3720-177-0x0000000000000000-mapping.dmp

memory/3720-181-0x0000000002030000-0x000000000237D000-memory.dmp

memory/5020-182-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/1952-183-0x0000000002932000-0x0000000002F1C000-memory.dmp

memory/1952-184-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/3000-185-0x0000000002400000-0x000000000274D000-memory.dmp

memory/3824-186-0x0000000001F80000-0x00000000022CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/2392-187-0x0000000000000000-mapping.dmp

memory/1604-189-0x0000000000000000-mapping.dmp

memory/1604-192-0x0000000002640000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/1604-193-0x0000000002640000-0x000000000298D000-memory.dmp

memory/1952-194-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/2392-195-0x0000000002845000-0x0000000002E2F000-memory.dmp

memory/2392-196-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/4448-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4092-199-0x0000000001FF0000-0x000000000233D000-memory.dmp

memory/1676-203-0x0000000002300000-0x000000000264D000-memory.dmp

memory/1676-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/2392-204-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/3720-205-0x0000000002030000-0x000000000237D000-memory.dmp

memory/1676-206-0x0000000002300000-0x000000000264D000-memory.dmp

memory/4448-207-0x00000000027D7000-0x0000000002DC1000-memory.dmp

memory/4448-208-0x0000000000400000-0x0000000000B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/1924-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/4568-214-0x00000000021D0000-0x000000000251D000-memory.dmp

memory/4568-211-0x0000000000000000-mapping.dmp

memory/4448-215-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/1604-216-0x0000000002640000-0x000000000298D000-memory.dmp

memory/4568-217-0x00000000021D0000-0x000000000251D000-memory.dmp

memory/1924-218-0x00000000028B5000-0x0000000002E9F000-memory.dmp

memory/1924-219-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/4404-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/968-222-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/1676-224-0x0000000002300000-0x000000000264D000-memory.dmp

memory/968-225-0x0000000000400000-0x000000000074D000-memory.dmp

memory/1924-226-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/4404-227-0x0000000002ADE000-0x00000000030C8000-memory.dmp

memory/4404-228-0x0000000000400000-0x0000000000B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4044-229-0x0000000000000000-mapping.dmp

memory/4568-231-0x00000000021D0000-0x000000000251D000-memory.dmp

memory/2356-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/4404-234-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/4044-235-0x0000000002924000-0x0000000002F0E000-memory.dmp

memory/2356-236-0x0000000000400000-0x000000000074D000-memory.dmp

memory/4044-237-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/3864-238-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/3520-240-0x0000000000000000-mapping.dmp

memory/968-244-0x0000000000400000-0x000000000074D000-memory.dmp

memory/3520-245-0x0000000001FF0000-0x000000000233D000-memory.dmp

memory/4044-246-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/3864-247-0x000000000290E000-0x0000000002EF8000-memory.dmp

memory/3864-248-0x0000000000400000-0x0000000000B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/2728-249-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/1588-251-0x0000000000000000-mapping.dmp

memory/1588-253-0x0000000000400000-0x000000000074D000-memory.dmp

memory/3864-254-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/2728-255-0x00000000028BF000-0x0000000002EA9000-memory.dmp

memory/2728-256-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/2356-257-0x0000000000400000-0x000000000074D000-memory.dmp

memory/4752-258-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/3888-263-0x0000000002180000-0x00000000024CD000-memory.dmp

memory/3888-260-0x0000000000000000-mapping.dmp

memory/3888-264-0x0000000002180000-0x00000000024CD000-memory.dmp

memory/2728-265-0x0000000000400000-0x0000000000B72000-memory.dmp

memory/1932-269-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/2148-271-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/2644-278-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/1696-280-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/3968-287-0x0000000000000000-mapping.dmp

memory/2312-289-0x0000000000000000-mapping.dmp

memory/2312-292-0x00000000021F0000-0x000000000253D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/5088-298-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/3136-303-0x0000000002340000-0x000000000268D000-memory.dmp

memory/3136-300-0x0000000000000000-mapping.dmp

memory/3148-309-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/3084-314-0x0000000002240000-0x000000000258D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/3084-311-0x0000000000000000-mapping.dmp

memory/4584-320-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4752-322-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4720-329-0x0000000000000000-mapping.dmp

memory/896-334-0x0000000002390000-0x00000000026DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/896-331-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/4804-340-0x0000000000000000-mapping.dmp

memory/660-342-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/1040-349-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/4164-354-0x0000000002210000-0x000000000255D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/4164-351-0x0000000000000000-mapping.dmp

memory/3724-360-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/3880-362-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/2744-369-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DAF3.exe

MD5 fd94179338c0d2db88be5d725e3e6d6a
SHA1 6f191436d3b3670f043008fe2560f475afc74ffe
SHA256 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611
SHA512 dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc

memory/3252-371-0x0000000000000000-mapping.dmp

memory/3252-374-0x00000000021B0000-0x00000000024FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

MD5 436c55f2d47f867a066ad1c3aefb1f61
SHA1 3439e80b40107f6caa3d76e06bb279420fb586c3
SHA256 c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843
SHA512 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9

memory/4788-380-0x0000000000000000-mapping.dmp

memory/2316-381-0x0000000000000000-mapping.dmp