Analysis Overview
SHA256
f5aebe7493e05852dba794ef9aecab74a2e545971065cdfddd1787618adffd3c
Threat Level: Known bad
The file AutoHotkey.exe was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus family
Orcus
Orcus main payload
Orcurs Rat Executable
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-20 08:45
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-20 08:45
Reported
2024-02-20 08:47
Platform
win7-20231215-en
Max time kernel
47s
Max time network
77s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\O\update.exe | C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe | N/A |
| File created | C:\Windows\System32\O\update.exe.config | C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\System32\O\update.exe | C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\O\update.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\O\update.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
"C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\chnmdocd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35D1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC35D0.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Windows\System32\O\update.exe
"C:\Windows\System32\O\update.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3F61A20E-8B93-4827-9ED1-04DDC1871BA4} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
C:\Windows\System32\O\update.exe
C:\Windows\System32\O\update.exe
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 564
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 540
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 564
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 560
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 556
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /launchSelfAndExit "C:\Windows\System32\O\update.exe" 2204 /protectFile
C:\Users\Admin\AppData\Roaming\fixer.exe
"C:\Users\Admin\AppData\Roaming\fixer.exe" /watchProcess "C:\Windows\System32\O\update.exe" 2204 "/protectFile"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | centre-shaped.gl.at.ply.gg | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
Files
memory/2420-1-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2420-0-0x000000001AF80000-0x000000001AFDC000-memory.dmp
memory/2420-2-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/2420-3-0x00000000020A0000-0x0000000002120000-memory.dmp
memory/2420-4-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\chnmdocd.cmdline
| MD5 | f586699d11424441d1a8fb5e9a53bd27 |
| SHA1 | ae7a89186597936a85b5160d92b63b015b052dab |
| SHA256 | 4efe222066c1b9a34bbc781d0bc00d28074b116223eafa963fa14d40b443dec7 |
| SHA512 | 9515bea2480d5081e36920c1289a7279c991c8f88655bcb05d4078b7e316e6ac1f255555a3fee8528a9b7a05ffe51a777fc5039758f8624626bff47fc38138b0 |
\??\c:\Users\Admin\AppData\Local\Temp\chnmdocd.0.cs
| MD5 | 6011503497b1b9250a05debf9690e52c |
| SHA1 | 897aea61e9bffc82d7031f1b3da12fb83efc6d82 |
| SHA256 | 08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434 |
| SHA512 | 604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9 |
memory/2352-10-0x0000000000530000-0x00000000005B0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC35D0.tmp
| MD5 | b423fa32e793db8107dbb93b80753f11 |
| SHA1 | 6ab53e5d032bad3f78248ffa6fe469301bb7c995 |
| SHA256 | cc6b6c2ede2275f02be9d6b8107fb487da758f7a01f853a17cb08f5165422edc |
| SHA512 | fba0ad245004ccca8f8a873e6e0f451bdfe66790b00bbfd6645d034e3efa5b09adcb4735396e59e7655cef52bbe14523238ff55aba52cd1ae091b2340a1b0809 |
C:\Users\Admin\AppData\Local\Temp\RES35D1.tmp
| MD5 | 684fef9727d8f6251d443e3a3858746b |
| SHA1 | f206d50081cf9cf630a63980f313e6171b93ccc1 |
| SHA256 | 126840c0b867edaff85c165f8a7b446ae0c4ae8118fa2dbe88729813a76986c7 |
| SHA512 | c2072cacf508cdfc76008053f2d11f9445aed52d8247dc1e8f3027a3d8d4c882a6c2dbc86644002f42a86261222fcf2994cde404dbae2f0e2c927710c5982814 |
C:\Users\Admin\AppData\Local\Temp\chnmdocd.dll
| MD5 | 288fe5420643b9d73d295de272b64961 |
| SHA1 | 9de6ac3346c6983d8450e3f795c46d55f32821b7 |
| SHA256 | 1e9f12ef2c583535e79876c7cc9d9c5798e5ee382547f887c3cadf684a1b3244 |
| SHA512 | d7706938750af3a1a0df0ab5b72b0ef7b662892117e364df29bb3b3c43c7934a22d63ad052c9a3f7072fc0a8dac97edc98b22920cc220174a208882edeb70f1a |
memory/2420-18-0x000000001AE00000-0x000000001AE16000-memory.dmp
memory/2420-20-0x0000000000440000-0x0000000000452000-memory.dmp
memory/2420-21-0x0000000000A30000-0x0000000000A38000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/3048-29-0x0000000001050000-0x000000000105C000-memory.dmp
memory/3048-30-0x000007FEEE7A0000-0x000007FEEF18C000-memory.dmp
memory/3048-31-0x000000001B190000-0x000000001B210000-memory.dmp
memory/3048-34-0x000007FEEE7A0000-0x000007FEEF18C000-memory.dmp
memory/2632-36-0x000007FEEDDB0000-0x000007FEEE79C000-memory.dmp
memory/2632-37-0x00000000004C0000-0x0000000000540000-memory.dmp
C:\Windows\System32\O\update.exe
| MD5 | 7e79f6b61e161236d55894c8fcb91c4a |
| SHA1 | 671906180d1b12fc8c57188bd4e6150438314ffc |
| SHA256 | df9a4044e80988a3ad9c2032f9a566702776dfdac4bf9e0ef0b4e3ccb105d777 |
| SHA512 | 9f5ac83f6d1b4552c20b42a55d426a11de60f0072a0bff8a2eab23993b86e8deabdd9c41a35c692567d12093f68a025e0d1aae97ca8f6d77374ed57eee5d9793 |
C:\Windows\System32\O\update.exe
| MD5 | 525f78ddd5f62018a4dcd8c4f1084d17 |
| SHA1 | ea07ba26935a4cab1d54b1dd8f2e00d6d219460f |
| SHA256 | d957854fe518fb129d8191da18c6459b10e51a341346f50a5f83f4ac93c2bd89 |
| SHA512 | 45f053fd001892c161cc94b6dec0ab5e7035307e86e68cbf9cbc4ccd846f4efaa75c9cf8c2ff298f9e5628007bd1aebd6e4779ddd3f22c2c59cb95ee3f6b8f74 |
C:\Windows\System32\O\update.exe
| MD5 | 3196c789ce43b23018be8c307c70e478 |
| SHA1 | a7956c29157ba68f1a830488ee2ec3b6ace0367b |
| SHA256 | 010fce6cf230994b90b03db09dda5c6025b804b381d2f99539f9455f733bd6ff |
| SHA512 | 2179633876fbfdf223724710a696dfee99ef18f537f11c4c75cfde5f7976fb4a183b1be7ebfe8f026e10ba522b0f74e44792276131e45fc38b4f02b24d5159b3 |
memory/2204-47-0x0000000000840000-0x000000000092C000-memory.dmp
memory/2204-49-0x000007FEEDDB0000-0x000007FEEE79C000-memory.dmp
memory/2420-48-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/2204-50-0x000000001B100000-0x000000001B180000-memory.dmp
memory/2204-51-0x0000000000530000-0x000000000057E000-memory.dmp
memory/2204-52-0x0000000002270000-0x0000000002288000-memory.dmp
C:\Windows\System32\O\update.exe
| MD5 | 6970781c75506dd179f939b3b2b661db |
| SHA1 | 271487ec46bea616bbb82cf86e7f5439a47e75ea |
| SHA256 | f5aebe7493e05852dba794ef9aecab74a2e545971065cdfddd1787618adffd3c |
| SHA512 | c3ba98ff2553da15517ac399797678e5e900370611fbc6c6ffe5c7d06f458fbc2b0c4cf60a37d197d61bd18a0b75676d8d9943103f391ddd59e8b929b08d2cc2 |
memory/2204-54-0x0000000000830000-0x0000000000840000-memory.dmp
memory/3020-55-0x000007FEEDDB0000-0x000007FEEE79C000-memory.dmp
memory/2204-56-0x000000001B100000-0x000000001B180000-memory.dmp
memory/3020-59-0x000000001A7E0000-0x000000001A860000-memory.dmp
C:\Users\Admin\AppData\Roaming\fixer.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/1956-66-0x0000000001210000-0x0000000001218000-memory.dmp
memory/1956-67-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1068-69-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1956-70-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1068-76-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2632-77-0x000007FEEDDB0000-0x000007FEEE79C000-memory.dmp
memory/2484-79-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1624-80-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2484-82-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1624-89-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2632-91-0x00000000004C0000-0x0000000000540000-memory.dmp
memory/3020-88-0x000007FEEDDB0000-0x000007FEEE79C000-memory.dmp
memory/2252-92-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2424-95-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2204-94-0x000007FEEDDB0000-0x000007FEEE79C000-memory.dmp
memory/2252-96-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2204-97-0x000000001B100000-0x000000001B180000-memory.dmp
memory/2256-104-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2424-105-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2544-107-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2256-108-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2544-115-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1376-116-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1376-119-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1364-118-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2148-127-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1364-126-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2172-129-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2148-130-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2172-135-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1744-138-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2516-144-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/1744-145-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2284-147-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2284-148-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2316-149-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2316-150-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2704-151-0x00000000743D0000-0x0000000074ABE000-memory.dmp
memory/2832-152-0x00000000743D0000-0x0000000074ABE000-memory.dmp