Analysis Overview
SHA256
ea56c4e31c9ae3e2b25b8f2886cbfb8b26ab3ba79df0261237a6983b04705114
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Detects Smokeloader packer
SmokeLoader
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:05
Reported
2022-10-31 22:07
Platform
win7-20220812-en
Max time kernel
151s
Max time network
45s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
Files
memory/1684-54-0x0000000076401000-0x0000000076403000-memory.dmp
memory/1684-56-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1684-55-0x00000000009FB000-0x0000000000A0C000-memory.dmp
memory/1684-57-0x0000000000400000-0x0000000000598000-memory.dmp
memory/1684-58-0x0000000000400000-0x0000000000598000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-31 22:05
Reported
2022-10-31 22:07
Platform
win10v2004-20220812-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DAF3.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1152
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1068
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1128
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1104
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 816 -ip 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1112
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2312 -ip 2312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5020 -ip 5020
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 984
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1160
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1952 -ip 1952
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1952 -ip 1952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2392 -ip 2392
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4448 -ip 4448
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1016
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1088
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1180
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4044 -ip 4044
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4044 -ip 4044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3864 -ip 3864
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 984
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 984
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4752 -ip 4752
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1088
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1932 -ip 1932
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1008
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 2644 -ip 2644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1020
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3968 -ip 3968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1016
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 888
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3148 -ip 3148
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1124
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4584 -ip 4584
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4720 -ip 4720
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1100
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4804 -ip 4804
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1116
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1040 -ip 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 896
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 3724 -ip 3724
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3724 -ip 3724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1156
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1016
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
"C:\Users\Admin\AppData\Local\Temp\DAF3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 2744 -ip 2744
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| US | 8.8.8.8:53 | freeshmex.at | udp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| CZ | 146.19.173.31:80 | 146.19.173.31 | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| US | 8.8.8.8:53 | disk.yandex.ru | udp |
| RU | 87.250.250.50:443 | disk.yandex.ru | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| DE | 51.116.253.170:443 | tcp | |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| SA | 31.167.195.177:80 | freeshmex.at | tcp |
| US | 172.86.120.215:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| NL | 213.227.155.103:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| US | 172.86.120.215:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| US | 172.86.120.138:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| MY | 103.187.26.147:443 | tcp | |
| MY | 103.187.26.147:443 | tcp |
Files
memory/4820-132-0x000000000084D000-0x000000000085E000-memory.dmp
memory/4820-133-0x00000000006E0000-0x00000000006E9000-memory.dmp
memory/4820-134-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4820-135-0x0000000000400000-0x0000000000598000-memory.dmp
memory/1948-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/1948-139-0x0000000002AFA000-0x00000000030E4000-memory.dmp
memory/1948-140-0x00000000030F0000-0x0000000003710000-memory.dmp
memory/1948-141-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/2312-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/2312-144-0x00000000028FB000-0x0000000002EE5000-memory.dmp
memory/2312-145-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/816-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/816-148-0x00000000028D1000-0x0000000002EBB000-memory.dmp
memory/816-149-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/1948-150-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/3000-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/3000-155-0x0000000002400000-0x000000000274D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/1948-156-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/2312-157-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/3000-158-0x0000000002400000-0x000000000274D000-memory.dmp
memory/5020-159-0x0000000000000000-mapping.dmp
memory/3824-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/3824-164-0x0000000001F80000-0x00000000022CD000-memory.dmp
memory/3824-165-0x0000000001F80000-0x00000000022CD000-memory.dmp
memory/5020-166-0x00000000028B7000-0x0000000002EA1000-memory.dmp
memory/5020-167-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/816-168-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/4092-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/4092-172-0x0000000001FF0000-0x000000000233D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/2312-173-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/4092-174-0x0000000001FF0000-0x000000000233D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/1952-175-0x0000000000000000-mapping.dmp
memory/3720-180-0x0000000002030000-0x000000000237D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/3720-177-0x0000000000000000-mapping.dmp
memory/3720-181-0x0000000002030000-0x000000000237D000-memory.dmp
memory/5020-182-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/1952-183-0x0000000002932000-0x0000000002F1C000-memory.dmp
memory/1952-184-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/3000-185-0x0000000002400000-0x000000000274D000-memory.dmp
memory/3824-186-0x0000000001F80000-0x00000000022CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/2392-187-0x0000000000000000-mapping.dmp
memory/1604-189-0x0000000000000000-mapping.dmp
memory/1604-192-0x0000000002640000-0x000000000298D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/1604-193-0x0000000002640000-0x000000000298D000-memory.dmp
memory/1952-194-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/2392-195-0x0000000002845000-0x0000000002E2F000-memory.dmp
memory/2392-196-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/4448-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/4092-199-0x0000000001FF0000-0x000000000233D000-memory.dmp
memory/1676-203-0x0000000002300000-0x000000000264D000-memory.dmp
memory/1676-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/2392-204-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/3720-205-0x0000000002030000-0x000000000237D000-memory.dmp
memory/1676-206-0x0000000002300000-0x000000000264D000-memory.dmp
memory/4448-207-0x00000000027D7000-0x0000000002DC1000-memory.dmp
memory/4448-208-0x0000000000400000-0x0000000000B72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/1924-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/4568-214-0x00000000021D0000-0x000000000251D000-memory.dmp
memory/4568-211-0x0000000000000000-mapping.dmp
memory/4448-215-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/1604-216-0x0000000002640000-0x000000000298D000-memory.dmp
memory/4568-217-0x00000000021D0000-0x000000000251D000-memory.dmp
memory/1924-218-0x00000000028B5000-0x0000000002E9F000-memory.dmp
memory/1924-219-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/4404-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/968-222-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/1676-224-0x0000000002300000-0x000000000264D000-memory.dmp
memory/968-225-0x0000000000400000-0x000000000074D000-memory.dmp
memory/1924-226-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/4404-227-0x0000000002ADE000-0x00000000030C8000-memory.dmp
memory/4404-228-0x0000000000400000-0x0000000000B72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/4044-229-0x0000000000000000-mapping.dmp
memory/4568-231-0x00000000021D0000-0x000000000251D000-memory.dmp
memory/2356-232-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/4404-234-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/4044-235-0x0000000002924000-0x0000000002F0E000-memory.dmp
memory/2356-236-0x0000000000400000-0x000000000074D000-memory.dmp
memory/4044-237-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/3864-238-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/3520-240-0x0000000000000000-mapping.dmp
memory/968-244-0x0000000000400000-0x000000000074D000-memory.dmp
memory/3520-245-0x0000000001FF0000-0x000000000233D000-memory.dmp
memory/4044-246-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/3864-247-0x000000000290E000-0x0000000002EF8000-memory.dmp
memory/3864-248-0x0000000000400000-0x0000000000B72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/2728-249-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/1588-251-0x0000000000000000-mapping.dmp
memory/1588-253-0x0000000000400000-0x000000000074D000-memory.dmp
memory/3864-254-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/2728-255-0x00000000028BF000-0x0000000002EA9000-memory.dmp
memory/2728-256-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/2356-257-0x0000000000400000-0x000000000074D000-memory.dmp
memory/4752-258-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/3888-263-0x0000000002180000-0x00000000024CD000-memory.dmp
memory/3888-260-0x0000000000000000-mapping.dmp
memory/3888-264-0x0000000002180000-0x00000000024CD000-memory.dmp
memory/2728-265-0x0000000000400000-0x0000000000B72000-memory.dmp
memory/1932-269-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/2148-271-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/2644-278-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/1696-280-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/3968-287-0x0000000000000000-mapping.dmp
memory/2312-289-0x0000000000000000-mapping.dmp
memory/2312-292-0x00000000021F0000-0x000000000253D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/5088-298-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/3136-303-0x0000000002340000-0x000000000268D000-memory.dmp
memory/3136-300-0x0000000000000000-mapping.dmp
memory/3148-309-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/3084-314-0x0000000002240000-0x000000000258D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/3084-311-0x0000000000000000-mapping.dmp
memory/4584-320-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/4752-322-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/4720-329-0x0000000000000000-mapping.dmp
memory/896-334-0x0000000002390000-0x00000000026DD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/896-331-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/4804-340-0x0000000000000000-mapping.dmp
memory/660-342-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/1040-349-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/4164-354-0x0000000002210000-0x000000000255D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/4164-351-0x0000000000000000-mapping.dmp
memory/3724-360-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/3880-362-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/2744-369-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DAF3.exe
| MD5 | fd94179338c0d2db88be5d725e3e6d6a |
| SHA1 | 6f191436d3b3670f043008fe2560f475afc74ffe |
| SHA256 | 287902b6bfb79f76b9c36bdd4d782da5c7eaf5820198c3011706e17b9a9ef611 |
| SHA512 | dd93d1b38dc20689a20599a66205c69da88ab9d624657244f2d490c3f751bdfe73bff019bbb71bb8510ba544930e23b2778a9214686fa56512561dd4172eadfc |
memory/3252-371-0x0000000000000000-mapping.dmp
memory/3252-374-0x00000000021B0000-0x00000000024FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll
| MD5 | 436c55f2d47f867a066ad1c3aefb1f61 |
| SHA1 | 3439e80b40107f6caa3d76e06bb279420fb586c3 |
| SHA256 | c86c5ac3581fd90047ee9bf50a027be33f7b66e22853c276507271b3e98a7843 |
| SHA512 | 4bb85a9eaf4e41a2e99c8f171e3bbae7fc147c58426645ebae73a2a8211164b46f5611d349d776046ecc5cb02106e544d11c8a9acfd837a9292b97b1bd0814d9 |
memory/4788-380-0x0000000000000000-mapping.dmp
memory/2316-381-0x0000000000000000-mapping.dmp