Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe
-
Size
438KB
-
MD5
30f15dfc6201a6efb9a1747b4bc7bd53
-
SHA1
1093f2274d5e34edf790d85aa90a91973d294058
-
SHA256
a960fdcea40da51143229425cd1d6f7761d3ec948ae778868002d7d22ae49643
-
SHA512
02a6fe125b63b4746fba9d7960c01f4332b596a677c4d3e76d96589ba8ee9a6dac4a5b1c08ba25fdf1a4e41184f5592f4b22f9ff40322d2cb0ceeabc1b480798
-
SSDEEP
12288:Vo0ylIRRpiJG+OnFmQL5zGIEXAhN8obvu:VGQRog5nFmQAIgsN8obm
Malware Config
Extracted
cybergate
2.6
ÖÍíÉ
amjd.no-ip.info:266
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
t?tulo da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
Signatures
-
Adds policy Run key to start application 2 TTPs 20 IoCs
Processes:
explorer.exewindows.exewindows.exewindows.exe30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" windows.exe Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run windows.exe Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run windows.exe Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run windows.exe Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows.exe" 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows.exe" 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exewindows.exewindows.exe30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exewindows.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3}\StubPath = "C:\\Windows\\system32\\windows.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3} windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe Restart" windows.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3} 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3}\StubPath = "C:\\Windows\\system32\\windows.exe Restart" 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3} windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe Restart" windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe Restart" windows.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JM3RGRHL-PU4D-47J6-2U40-F2E035FY5NI3} windows.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
windows.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation windows.exe -
Executes dropped EXE 10 IoCs
Processes:
windows.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exewindows.exepid process 4680 windows.exe 2612 windows.exe 1988 windows.exe 4524 windows.exe 4444 windows.exe 2340 windows.exe 3256 windows.exe 4704 windows.exe 2244 windows.exe 2636 windows.exe -
Loads dropped DLL 1 IoCs
Processes:
windows.exepid process 3956 windows.exe -
Processes:
resource yara_rule behavioral2/memory/4060-18-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4060-22-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4536-84-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4536-202-0x0000000024080000-0x00000000240E2000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exewindows.exeexplorer.exewindows.exewindows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows.exe" 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\windows.exe" windows.exe -
Drops file in System32 directory 8 IoCs
Processes:
30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exewindows.exewindows.exewindows.exedescription ioc process File created C:\Windows\SysWOW64\windows.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\windows.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\windows.exe windows.exe File created C:\Windows\SysWOW64\windows.exe windows.exe File opened for modification C:\Windows\SysWOW64\windows.exe windows.exe File created C:\Windows\SysWOW64\windows.exe windows.exe File opened for modification C:\Windows\SysWOW64\windows.exe windows.exe File created C:\Windows\SysWOW64\windows.exe windows.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exewindows.exewindows.exewindows.exewindows.exedescription pid process target process PID 4432 set thread context of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4680 set thread context of 2612 4680 windows.exe windows.exe PID 1988 set thread context of 4524 1988 windows.exe windows.exe PID 2340 set thread context of 3256 2340 windows.exe windows.exe PID 2244 set thread context of 2636 2244 windows.exe windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2796 4432 WerFault.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 5068 4468 WerFault.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 4636 4680 WerFault.exe windows.exe 896 3956 WerFault.exe windows.exe 4592 3956 WerFault.exe windows.exe 4820 3956 WerFault.exe windows.exe 4792 3956 WerFault.exe windows.exe 4988 3956 WerFault.exe windows.exe 3724 3956 WerFault.exe windows.exe 1936 3956 WerFault.exe windows.exe 5056 3956 WerFault.exe windows.exe 2804 3956 WerFault.exe windows.exe 2892 3956 WerFault.exe windows.exe 4712 3956 WerFault.exe windows.exe 1556 3956 WerFault.exe windows.exe 4104 3956 WerFault.exe windows.exe 544 3956 WerFault.exe windows.exe 1364 3956 WerFault.exe windows.exe 3604 1988 WerFault.exe windows.exe 2616 3956 WerFault.exe windows.exe 5044 3956 WerFault.exe windows.exe 2452 3956 WerFault.exe windows.exe 4720 3956 WerFault.exe windows.exe 4460 3956 WerFault.exe windows.exe 1636 3956 WerFault.exe windows.exe 2568 3956 WerFault.exe windows.exe 3592 3956 WerFault.exe windows.exe 856 3956 WerFault.exe windows.exe 848 3956 WerFault.exe windows.exe 2220 3956 WerFault.exe windows.exe 3716 3956 WerFault.exe windows.exe 216 3956 WerFault.exe windows.exe 3276 3956 WerFault.exe windows.exe 4680 4444 WerFault.exe windows.exe 3080 3956 WerFault.exe windows.exe 4180 4444 WerFault.exe windows.exe 2584 3956 WerFault.exe windows.exe 1948 4444 WerFault.exe windows.exe 2104 3956 WerFault.exe windows.exe 5104 4444 WerFault.exe windows.exe 3020 3956 WerFault.exe windows.exe 2232 4444 WerFault.exe windows.exe 220 3956 WerFault.exe windows.exe 2524 4444 WerFault.exe windows.exe 4024 3956 WerFault.exe windows.exe 3168 4444 WerFault.exe windows.exe 2756 3956 WerFault.exe windows.exe 3076 4444 WerFault.exe windows.exe 3712 3956 WerFault.exe windows.exe 1216 4444 WerFault.exe windows.exe 4576 3956 WerFault.exe windows.exe 824 4444 WerFault.exe windows.exe 3960 3956 WerFault.exe windows.exe 3088 4444 WerFault.exe windows.exe 1260 3956 WerFault.exe windows.exe 1716 4444 WerFault.exe windows.exe 4912 3956 WerFault.exe windows.exe 4308 4444 WerFault.exe windows.exe 4508 3956 WerFault.exe windows.exe 2160 4444 WerFault.exe windows.exe 852 3956 WerFault.exe windows.exe 2224 4444 WerFault.exe windows.exe 4340 2340 WerFault.exe windows.exe 4436 3956 WerFault.exe windows.exe -
Modifies registry class 1 IoCs
Processes:
windows.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ windows.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exewindows.exewindows.exewindows.exepid process 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 2612 windows.exe 2612 windows.exe 2612 windows.exe 2612 windows.exe 4524 windows.exe 4524 windows.exe 4524 windows.exe 4524 windows.exe 3256 windows.exe 3256 windows.exe 3256 windows.exe 3256 windows.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
windows.exepid process 3956 windows.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
windows.exedescription pid process Token: SeDebugPrivilege 3956 windows.exe Token: SeDebugPrivilege 3956 windows.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exepid process 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exedescription pid process target process PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4432 wrote to memory of 4060 4432 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE PID 4060 wrote to memory of 3568 4060 30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2523⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
-
C:\Windows\SysWOW64\windows.exe"C:\Windows\system32\windows.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 2526⤵
- Program crash
-
C:\Windows\SysWOW64\windows.exeC:\Windows\SysWOW64\windows.exe6⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\windows.exe"C:\Windows\SysWOW64\windows.exe"7⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2208⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2648⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2848⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2048⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2888⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 3048⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2768⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2848⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 3088⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2968⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2768⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2808⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 3048⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2768⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2208⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2448⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 3648⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 3848⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 3928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4008⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2208⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4328⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4448⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4488⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5088⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4608⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4528⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4608⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5168⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4448⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4608⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5088⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4608⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4528⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5488⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5208⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5728⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4608⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5768⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5848⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5408⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5808⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5888⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5888⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5128⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5448⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 7328⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 7568⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 8208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 8168⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 11368⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 11368⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 11208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 8208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 12208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 11448⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 10928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 12248⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 12248⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 12248⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 11448⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 12768⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 13048⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 15088⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 15808⤵
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 2529⤵
-
C:\Users\Admin\AppData\Roaming\windows.exeC:\Users\Admin\AppData\Roaming\windows.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 54010⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 13288⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 13208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 12008⤵
-
C:\Windows\SysWOW64\windows.exe"C:\Windows\system32\windows.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2206⤵
- Program crash
-
C:\Windows\SysWOW64\windows.exeC:\Windows\SysWOW64\windows.exe6⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\windows.exe"C:\Windows\SysWOW64\windows.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2168⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2328⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2008⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2648⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2688⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 3008⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2848⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2008⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2968⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1968⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2768⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2648⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 3048⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 3128⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 3328⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 3088⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2768⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2888⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1968⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2408⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 2488⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 4328⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 4608⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 4448⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 4968⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5008⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5088⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5328⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5128⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 4448⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 4608⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5088⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5568⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5768⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5128⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5688⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 4448⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5088⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5368⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 4608⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 6048⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5848⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5688⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5848⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5808⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5448⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5688⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5488⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5488⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5768⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 6048⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 7608⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 7968⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 9528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 9768⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 9528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 7208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 5848⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 6048⤵
-
C:\Windows\SysWOW64\windows.exe"C:\Windows\system32\windows.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 2166⤵
- Program crash
-
C:\Windows\SysWOW64\windows.exeC:\Windows\SysWOW64\windows.exe6⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\windows.exe"C:\Windows\SysWOW64\windows.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2488⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2688⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2888⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2968⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3048⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2008⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2808⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3128⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2408⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2248⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2608⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2328⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2848⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 2408⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3328⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3408⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3488⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3568⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3848⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3288⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3368⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3408⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 4568⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 4648⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 4728⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5048⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5288⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5368⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5488⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5568⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5288⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5808⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 4528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 4928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 4728⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 4928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5608⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5048⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3288⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5488⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3568⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 4928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5728⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 3528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5648⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 4928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5048⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5688⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5968⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 6128⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 6208⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 5928⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 6568⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 8528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 9528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 9448⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 9528⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 7728⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 6408⤵
-
C:\Users\Admin\AppData\Local\Temp\30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\30f15dfc6201a6efb9a1747b4bc7bd53_JaffaCakes118.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 765⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4432 -ip 44321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4468 -ip 44681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4680 -ip 46801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1988 -ip 19881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2340 -ip 23401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2244 -ip 22441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2636 -ip 26361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4444 -ip 44441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 3956 -ip 39561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4444 -ip 44441⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD5b6564b84f1f9b325064b07833746da7d
SHA1dd9228cc0544566904d4d6dd2a9747b46f1d7ef6
SHA2562f02327cd815175fecff0b5e231ef7621ef386466c67544dbe8cf2646d6785d2
SHA51233da5eba1fd9520be30428b050de0cdba26562e89c04c76c99c6a5d9be325fc574410d4bd1d3af1a7396520e3db94fcdbd1e93c567986d1a20aceb89ab1c3508
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD5d044aeeab9c19322d7b93eb7ad5a1043
SHA1dba2652ed5bb523ce7b31bdfca016ab1008c3312
SHA2560209705001881513176a4ca1465459ed7b7a728b9b231abddcab6f98cb011b5b
SHA51282091eb8feef444649c52478026f15e71f9e49cf52c91029f48f599f12f2911b9f0e73382b8cf85124ee673a3823b0247386a71db969d4cd502b828b8cb73391
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5752bd3005a8a7533430036c6cb409b43
SHA19553871930c8c5736d0ea4558cae05d674058b31
SHA2565d44aa0fc53604e1984c6a4eb1f8bfcf46423c71d68fa6e704accef3004f6752
SHA512f51f65f6b47c47df3df39d92b8faa0a92521449d4ee363bef6081f20a8924a06401cbd5aa6ee9ecb3c7ff2fc78ea9e905dfd014fd405fb471150864f6a46b50d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ff89ed90854758cd6efdf601c0a79163
SHA1cae410de4c5e6b74257cf712035ba3bbe1d86e3d
SHA2568ae459761f52bfaf2c0e4824f19da3605a277d2217d78d2757c09980c461f421
SHA5121f4a8d4c10f9c65e514779df94e29bd3b4e5fbff7b446d6289b71636ca7c2184e714f95f9872460dc227a0f79d6fb2779e3045d7abe38c2d0ffb3a2095d3b0c2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52e6ed098b5f7f57de3f776c04ae1d907
SHA1f335f251024a749a9fc743c7c986501b97a404f4
SHA2562bf63ca0bc4c1923fd9cd78a8af800a71e193a35d985dd3ec07c79745ba865b9
SHA512b29996e6aa83cfe70ad27345c8c6d53fc1bbdf48619189e7bc70054e8f501c168023bb4ba2079862edeffccd7a930eeeef95d2ec7aa0baf14893feeadf1de7ae
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59dc9fa5e05b064a1ee3811f878acfefe
SHA1a1751ea08b7d30f8cd99758740af9373e9794081
SHA256059c7adbd568bdd081297370b537b7a5568f0f206dbc2ba1aa4374b2e37f80d2
SHA5120fcd12365feeac5ae1649eff3a41ad448dc3a60eeab2049d31a59c358dec28b550eefb71077d35c062360452d48d9c1be9f4b04a8bfa69926129f5de2cfb0ec3
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD55eae5cba59e1d9413c931bc1de0da9a4
SHA1c668f11839109f4990d5f85b38fcba29747d76f4
SHA2563b4096a6122611e0811ade145a2062d722a9150749f7f48fb9ea7c8101a6b012
SHA51269723dbf03abf54591dcea5bf1af1358ad1e67f9c63f5deae6a59002bf0675232ec7ba2321c40912c77d2dd5865bff23076e47ab5175c471652bcf08614ac923
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5982ab726acdcee9f7097ee6b858c7cda
SHA1b29143af589bba73d81f4cf9cbba1145cef84d1c
SHA2566220c8c162b5b4177f1f22ed3783fb715c0cc17a52932cad66b1f895e62e5e7d
SHA512f6938277fccc382a5d3f825cde49821b05044c9e3c5c90eeab87118b2e958d116cb999a9bf94a1fac072d328c04a1c1c56b22dc2c96a8869cbaf1023e0d3c8d4
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD58b0dd2e731be65fbf427295ff63a34b7
SHA1e1bf38b4c31978c90fb58cee8df450efb89465b2
SHA256ffbc0fe1070babc28daebd803b1e84b02a81f4eb7541e5939c4da0fd726c104c
SHA512dcc628d3f102c4e2a58b6af7ed7e64a892d0e50dc86d02f13c433ce6578a672a1b7aa783870a26c53a7fcd8aad0b6ccc1bc78e10ea1b197c375306daf3c5c486
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50a932f8272108194ec62a4a49edf1de1
SHA1982d9b3e7e7c84c814e849b73253ac1bb8ca5144
SHA256839c9e99deeb6c0373e0dfc9d4f709d8dca6ff7745749277f9ae64fa161504ff
SHA512bb3af1375a575376267dc58decc0ea6cba174caac5b2f6b6a5e87bab6cfbb5af3c13fd6880e446a5e715671438eedd625c5d0f7d94e48bf219691e27c4d97e5a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c1f5b7a853711685067506ceff83a008
SHA1a013886c4f8d7212c7c43a26982f34a4c8ecb107
SHA2562c9f487bb4148fd4e4fc0b4accf4dbc3ba93db277bfbfa681c0a8fdaccdb8ce2
SHA512165f363658e8a4520d163199df42363c8edb32d109bb042625fb2d1452c3860013694222dec0c20c64dae8f30addead5151ba74ef18815565bce39657886f8e5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD505182c2c7999925e1c3e074a27765ad3
SHA1087ae31d736fc0ca7e9f822b566cb80b0598261d
SHA256339bd64fd31155ba8ad20f965d5b62030c0996b250493f24d2d42278bd11bbd3
SHA5125fd8a38cbaed9a190ea521c033e5ec8024991583cc52d1c33f12a7b6d9939b08a0e5689336e3cbebb7503b7f41a5eb0f1597d2130c4df8031df164cf82882445
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD532acb0ce97b053edae44f74034376c0b
SHA12a8c59adcef339faaf6bb4cc9b8334949e0de586
SHA256383799fef31ac64392f1f195baa4cd575f169a60c1ad8b8feb071feedcdd1934
SHA512d1510b0387aeb27d9b9545f0703b35b34248c73c6b63b2b7fefbe6408d05405c08dd30c65325290716f2831900a1bb7b2189a9540751031dc3f61a2993736aeb
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54efd5e14f32eedbfc5d238a1903ac68d
SHA169d05b06cd2fb6ba8ec23e2391a9dd20947deb77
SHA256ad226f5a75da5a5e8f26a4c1ce3cb45ee4c0ba24b4da824ec8ce01d431900a46
SHA5128fb35ffc839d14217c7ecc313341d102d285009540e95421b3ebe69c624c75d2c6e3c402c3a661ff12ed6a2087842b5b83928499ba68981c4c5a2ebb329dc766
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53df3863831737f7d36107c60c180e6f6
SHA1b6c04e2bb39d0af310fe40609cef801baa0296b6
SHA25677cd1ddd0886c2d2ea66dcbe92acf3135e7fb4d57cad596d48ea5e828960e3ad
SHA5121c6e034ca67debde1a5f05c0a01fe9d0fe8b316937f5a8c18cef732cccc19b97adb57194070a7cdb92f8c8d0a0ebc7d4ffabec0e6d20ebadda5b33251fee5659
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD524e951b3125760eb51b9c024ca39f83e
SHA1b08fb531387336d093bef38f4345d29d5ac924a4
SHA256f82d7b896d553097c384bb424eff4dca82a0fbddb09a79e1cd61d725273a7dce
SHA51237c40d2318b6bdc8e2ef01a39454fa06cbfd3687451bb3c02314c69135220c906dceee69c98864b0e51ea5a73d2d4ee49b7ff3fd5cf3be0c776f03c116d00238
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5de3649b8e2a456e61780e077bca0e2dc
SHA137612101df0ff3dca4a78a52f135f76ab24318a9
SHA256bea3c6b9a380865679da065da881d15b6a36bd1964e53989d0744bee241192dc
SHA5126ed3212036d7b9d077b21f171c614991fb0358e6860969f606de18127ed4331ae230bf1a1e2ff45c7f3f20853ef832edfd573b2569827f799486b7f24dee0691
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e1209a0b21d0059ff525d654b99ac218
SHA19169a6967b963a90176de27ae5e34e0c1dc901eb
SHA25692c14028ba4f8b6fc8b22e9b4da05557cf4da4ee3306f22e8180362ddb24fde1
SHA51296a453e7f1a882f58142299b4471e020b4bce1c19c96c6b211f8b9a0caeb7096958d66a04a5e25a40e54af1ddca603eb17b46ae8e2fbe679131ed3246e2685d6
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5b1720354749fa26aeb4047f4ce1d51a2
SHA186bf8c21ac28278f9f01dd553874758cd545aeba
SHA256cb55147766ada1c81198b5a18c1620320661973b425b8309807724400be3739b
SHA5129edb00072545085ca38742800f5a152440a24602d54a18277cc488b0227d80d21a7ab5e7f53d01c9fff9746c3aa9c20c1f77a1f73c9785b3de7ca9ffe0f11405
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD51883e20b92c766d6dba340ab76facf5f
SHA172c2285b7f588e95af410fb3029eb35056df71d4
SHA2569638a45b9e5bcc1287e0248c77162645d3b0172e4707c9461e40c6ae76dd1902
SHA5123e41c81b33b48dece0de56317798cf8ed2f1c86b2fa7e92ae127a9a561d309e103216126ded35c63b1a479ead4b4e72c3b586de63007a2adee6afea198d72ded
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5db3e6e015199dffa324df58b8fac1c0f
SHA1fc340e23d4a7023840ca450b49d511d80974e870
SHA256ad315b686eea20b702b4e1ccf553705b277b757dc1d0b2c7d942823360990c80
SHA512de406bad6ed0eaeccd660deacae03a9890b9b1e1c8cbf6fce2842a1d7f1654e07eb047289d4f7149d2bb63b665b41dd5039c0c489c5274d2d266a656434d755d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d9271b811552ba804eeaa5d719ec08b5
SHA1865f5b4b7ac66e091290fef55a26171990bff786
SHA256c53b4485e7f8ef85b7c6ccca567f1d467519ef2ab38771aaf8bfcaa2f3e74005
SHA512fb97d35fcf1aca88a8ca201972c5b17223b5086ec5d599d96b66c02c2dc0f68b34f9d53aa0516b10329551e5a28e4d76669cfab5f67f7b6324e63f8a7943640c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5cd11cd1d4b737c738439006ee6b4c137
SHA1bf9688eb47e1115225f7f72808ec2bfb1e01fdba
SHA256d3b606c8fd0c1572b85e837dc9250e400fe1b23d282a23a1e7faa65b9c6e811b
SHA5129d967f81a5d267eed051ba299831a82e001f7c006a1dc65d6a8cb538091215dc4ddd42a987a33c68065142573905a6208270610943246024267a9efa0e73270b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d10fc990801727082c7959b7caccfed4
SHA102cbcba01180e60ce2f0b8e0af38dfb887e067ee
SHA25672d416f83dd1b024e06958f5396375b49e789148d7eb24e3fc057dc94e3da5d8
SHA512ab2fafc0e2446ed3512706263078d7b46571d6e3503a7d74c77f1ddc9229ffd09846421f14c884b01b837e15fd5bca8e86d53ae671f0d28aa803bfdc4307b92d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD581934384d577183d3c487438e62e88cd
SHA1b0d33111968c93dd46e81ef1519c9d54613bb561
SHA2566b98b8ab71922c73883d7b87c9ef22d9b542be1a7f05c0a78392385f36e58de5
SHA5125d8c52150023660ff9b821f1c810fcfbdf7d8e952d306e1cfea9364e0710aed7a0bea483a9979ddf1245cf21ad52a8c0d6bef805990a2b396ee6269543e881ca
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5b44cadc4e0bbdf461843f5a233e66724
SHA16374ef51e99800c52fb6be22b3bfb0e3b591a4c5
SHA2566a8547603bc2fa49903852375b9e537a234969dded7cb1548f749122f317f344
SHA5128c8acee18217055d68163b0a9a1cbaa1b867804ce3865ff9bb73692454afd10039721189bfe1cd02cb41c7187066ffd0d22f38d72652074649099ea7a7f1351a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD51277b815a6c643aa4d8a779f35d276ba
SHA1d9d22507730be22d69e660e659da2edd762c9cfb
SHA2565661928b3ebe06298e3296222351b2cf6add9656b88d812cb7d7be101ae6b796
SHA51222142ce1303351542d823597ca500dc25baf859a54784e1ac1d9a935ed147fba0e47c11bf167c5336a4170136ed41326dd2cd24ee7439130c98bfa00c9cae0c7
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53ce58d78829c645e4a39d908fa6e07b8
SHA160dabbf3c51edd8eb3748073cd95cb76488ab018
SHA256ce0821d97b7fc6c8974c9e9c4dfa971bada29c2c33b002bafc8e5c93e69dab77
SHA512103730aa11008d4276e9db34e9e48da619821fb1ace278ba3847154e9c85b72bfa6a30e871cce18e74a22ea9159968ee233f2318dcde25effa85d5b7fe7cc109
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD58df4360e7c4e20a00ba63a0efeaedb4f
SHA100e38cbde0cd5608c9c7eda350416db070d579cd
SHA256fedf46e0c452f4489d34569d315dfdd568f7c020da3411b3b980de1d941b112f
SHA51283128b5b5d364a667da8c5ea2df7dc1e496b4b36a62798a7d4c3f14ed15a48b67b7d937de7c04cf2bdc9aaf1fec0c2ab5ab56b07c72801385e5360cf25f46c4a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD507d089a06c0a8f1473e8f40ab80d9262
SHA11168f3c922f8899f19934fe1e15b7ffdc659583b
SHA256fac75c0062d878ff4c662545ac0c8d4bfd0e972f24dc1197dccea59a8bbd7cda
SHA512eb24eee74492fa7c0851bf11ec4891c199547767c2b7bd51ffabf37637a3b2d77bb147144fd40dcf33743d2e345811cfa51e668ae6a8b851e2ae04a186fc3486
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a1ad8ef6d244d613e46b1d434bf372bb
SHA1366928ca207425ef4ea6257197b5a3302815a539
SHA2567e7604b1b6fa176df893be0983df16a2da460d4fd9c7af6627ca7e53b3dae94c
SHA5121408ee6a1d23a6629c8bd0f693673388d55cc2dbb396ea4d67de99eccd71c315a0dbf52a1245a2a6a43e06471abe38a7d0dc7078335925dc6ab11b90a72bb376
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5734c949ac52fc0758448f60eb1955bc5
SHA1533619d4d3c233a9a8c03103b7716b30e79b4721
SHA256085a71343c1d58998e39004bc4f624cd0aca4c6183dc19e34ae5b8c00a1852ed
SHA512a133787a4bf49fbffd194f474c9564965a8d6c69216353543097f2ce62928dfd13b49ed2952af458112f770fb29917ffe2562e8593b9eaefcccbdf3e297703b2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53f0515fb4489a2975ab381c78c445bbe
SHA194f35f593f1306a223151adc656160958bcacd71
SHA256a0d62dcb3be37c7aa7c6db060751b5d016f840487d33e68eb15156ca16162938
SHA51218ace8806dbe3ad2bdbdb5a8fcf0644c673388d98984aec6790f06de740c733ac4e20ab1f41038bc86ffddd8ea2e0d8f01ea555ef29eeb2a3a350dce451ad102
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD520f87a335c530966192cbca9314a2fea
SHA1409c76338a143afc7b9519185b20e1cfb2578c1a
SHA256fde58f1401cc64923bd35add363f083c7f65217183f397ed1f31f7f40659998d
SHA51262c563cb62b54071d5417990011979b5b154c3a7f7e5fc4f91e60383126d247c447d1bcd21a2a3faad298cfea258a267df9b9e446587154db6b9de59dc089210
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e4e55596fd9f789ecc701db348891892
SHA1bc4ab1e3a4a7f4e2aef5a688fd72f53d0b81e9ed
SHA256096f75b5afe0f48ff8bd7ebb90b02d629c684b5337f15b7c6bd3bd07bb8fd52e
SHA512cd74b0d54b2cc3df1530a105cc02efc99d3f53ede0684f3bcf8c60e1a11486ef8fdaf7c768598f556e43d2c7d62e828480bc03ae8f37fbfd2f6c8b9d0183fd3b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52f805b49575529afca62752397352275
SHA1f0bf4294f07513ee0a5be319f1b805fb20a702d7
SHA2563cc9bac11c10516fd3e39b46cfc57f0906d2ddfa72dd58388d92d89457befa25
SHA512df5335c1184857ed295d42b9188d38b6a10d3924356e18d8d497a90a29f7e629847bc57cbb2e8b3d1a3a3fe8e389272f3cc04db1ae688cfd8067f780e423b933
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50ad68692eea905ee26fa99314a1764a3
SHA12812f72f414413c0a2de58f07ef26e6af637c87d
SHA256da379c500cbd8728ade9c2a359fa07667f616a39f19630161bb8c75657180170
SHA5129a509b46642689e7e274b44f708a5beb70d85eb75090c9688a898fad212227b2ad97e8ed9bd7ce51c795d5a5ad6380d2a1a384cdc60a8f4a82e085015a699c49
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59b58532d3e6377a47164d322318be5ea
SHA1ec6cdaa2fdcc416dbe7635c5c6c02532e0b9ca3a
SHA256d8cf62cb643d984e4003fafd33fb32625c56512efecacbca74434d8d87e0a67f
SHA512ad76d559244780fbc1bf3077832d8c1114dc37b8249ad65a8005cd44a7c8d3b9f14191e225f2df83a18efd2e24835561cb51b2b227aa8164d4fb7d33670f4915
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5cbdcfa77301b435b1423923ffb0f60b6
SHA13d5243c123a2338e9c5ef049a6c177e9c5b9fa86
SHA256a679b41c3c5aa35692e8d3fc3a5d25f9c1308925364f33f589e98727e20c9415
SHA51219341b79d9f55fd35ad1285261c26d53d44cb8f030c07ed156bb766f0c336a09f760d83729452ea78bda3ae6a6d6d6267e97d33e2721aa53819e64fb8b03c8e4
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ee150baed03c7c1a21e140d5243fd4f7
SHA1d428a9a92210ddc32b217630a69907bda6fd5483
SHA2565d60485e2e3d734d4c60cb006c3e1331d146b9bd75f8d8aaeafd30b9e3e043cc
SHA512a5f4c5d5a0ece35ffed2d7afcbb0d4dd0e859e4931f04c2fde81e8173430f5a871dcc524e211db14d526f559de4ddbf33fca47f4c37c19dcf2304cee3b6ae79b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD596ee1304cbe40d880f6e0350b519b2a6
SHA186a86167ef8f3f5ab8e99787e5e0dbab98a88117
SHA256c7b324ed92489e5134605f3305c86f15e8ee6c2612a7400d730fbd7cc3289fa3
SHA5128c469e43c5fd345ce899b0fa3b024c3b032540c1b612c9a518445e2c1502ceb1c824f5ccdbca9c9d0dba5486882626b74a2dfe4e4d02ce797088abd9ac4f5a91
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD579996f2d3ce7f285ef61f534bb4a2824
SHA164b796cc4c13d43fbcf1d94b23a4966d5e714328
SHA2562202e540fb150f075bc2897b41dab75464329c77610f5b47ddb4274d1075190d
SHA5125c064d496b645af06b2f1e56d6395bbd3662d7291087e9cf33513dc68f0c1bc306c7414e3dae9866ab4ea15e84ac9f9255013e7fb3ea8919246042c5f10bb4b7
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD598edc5f0a2c193a544762be05ec135c9
SHA163485934fcc7cc0cf5ffe2b0fa4b889fd5ac164c
SHA256f09596c55972b0e0b07b7c91d346be374512933142bdd4728b825f2a3d896d41
SHA512536ac58bd3604b3648787b6214986043dd750b149cd22e9c08140bea429134a051f8e7c59d37c8dbb944aec3fb31ca42b186df17984a72e037df13101e312e64
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56ad034d3887d940ba4a6dfd646e3e03f
SHA1a1b77d6b114d922f98f39b33d589a25cbc4e1d68
SHA25668d3b9b7c49790fdca11719a832f8c3e4ce1d1eb2b19865791b4bbc09869b3da
SHA512344099c5adb5d4ade5e73b5a502327ada87eaddd121da56087f0c2d1df4b24a84e9c2a0d12d5706907f661b6ba53d036278d2eb75e9a6eb1c694cea75fa12b63
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD55d6bb7c70e9e825a1b972f0e18f02303
SHA1eb14da9a84fdde0205741133e6211f49051ebe03
SHA25608f5ce69cd0aef0a5b488afe806e92fa9875dccf1b20d86772214980cc8abefb
SHA51291db8614c999b47b47b63d0ef73aa4309a7b0a5abf0508f242fa8578b9b915ff2e1bc73135f76ae56d5ba8002c063304d946e451996d0b30f4754500621380ef
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5509812cacf6e03b1c3f5be53ee124a58
SHA1c69e47f9e14b9aefb3c520cf3bf78324b76d5127
SHA2569836e7a0abf88985ac0d45cbb9155c817a3df4faaaa198169c905e5ff888b098
SHA5128d58101fc2e30f8c898b1c7c54a96d91544197efc49b46530c1bf137c20d5cc934a21202c5f6ab81214eac04531f85d6c3c971095693b52b39473c5b71695fc8
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5fe8e9736ab5a91199d772e2e80d7b93c
SHA1ad469a2587660dc2e49de7791b6ff449b88520f9
SHA2565b72f406756d42d39df89f1c75c1500992292f76a40f9d93b41ac100589e9d34
SHA512608f13baec77235a80df70b380316f2f40ab15f980de256aea4231cf5b4e47243193b032a86ac8de5a3670a4718a0210c9965a9500922da0f424962f19cdd2bb
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a0f40621425133cc2bdcbff655a4cfec
SHA13f70032e195ba069b28d1ce19a5d958f442569c5
SHA25609cf90cb5a259b14487af59d67520b09310bc0334bb8c0e5d7346a5483c99b2d
SHA51242a6ccd6d30ba961317c422e01e1c5494aca5ef234dec68e67d00683aa917126dab844af934619e9d88cec5399a1d8c6f16d2bc8f43273e78365668944e81aab
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5aa630bb43b174f5d31ff49188797c9a2
SHA1625d420efd9ac44d15643bdaee46ad7e101f5d8d
SHA256c11dc1839f40e3fea05f5867db27dc4eda01a475546ad45fcb1e654e3ecba816
SHA5122dbf39eaf1fb4a9617b5890c54dc3872a1a77c05165fa813334700f3bf0f1b78b3389b1f9f1260f065848772e9ab21604997a95b13ecf5d1c1b97902e44865c7
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5aa344c2c7c7975eb868e9506da2fa979
SHA1b555070527b95c4b1daeabe4dc2aa281ef71c742
SHA2562df14f15bbdb96085629c40d068edd44a64d68b138afb0ff86a41e92119f7aa5
SHA512eba014864015b2ece253304c6c1e527fe6d4a6a49011ed10a2c346fb1e6a209a71917d2b8878f55255050990ca3dfe45e88e03d4ca882fc54664a1bf071facdc
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54d971ec36a26621f92bae831913f9e05
SHA11183e0799180277e40e7868787743d7d92dc9e5a
SHA25632f86ce78e4d543908814fe683f372cd43238af85619279df75e06537852451f
SHA512ce26d4cd05ce60ec206eafe4119ff02fbc838832ed5e4e5d1b5678c7d625cc858a7e90a920076e9575e46b31a8f76654d3d7e943589af18cad40a26ae982eeaa
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5283252e8dbbe6285e2fe36f6ca487fd8
SHA144f682a2efc06ff6f85d3466299b59b09246dd8e
SHA256c9ba5b813b35a6c844f13954d64732c39c7e48ef545f45aa2c6e6e5abbac9ded
SHA512c5d998729822f7ebe9a02bb0384c00eeeec75c97a63a2dffbcdd3407d17e3210360cfa60e520576088fc30ded9f409ed3a2eea7b9941dc9424c2fcfc3bc19402
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ba2b776ddda7dff6648bc55e15b55c83
SHA1a784a30070344955e79dc70075bdaf7efc09e988
SHA256cb2ac91e051d8c798c78aedf9eba67b437bf67959c596d35bd9d5154dc75aecc
SHA51276aaf61d9c2f54b75eb50ca37dc5da2675f94b931959a9078e0fb6cd7bad0a734829dee2014ad6290bdab67926b642f4c2d9d6f2fef21e03fd5af2e72e229c89
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD505363010c2bf459e12eb60e4d2ac2d26
SHA195bf728ce2fbfd0dc7e16e0e473a0a5288e4b0fb
SHA256ec0c198632b466c8244523e347700cd341af35da4767dbefc3c605eb55ed559f
SHA51242f0272fe83f9fdddc405bfb50ffeaa9be375abcde78fab77a8dcf11ea8b832499ee57dbe6debd61d0ae248199d2b86d12ca9454c58575cd798e5cda4a59eb10
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d00db13bddefba180d429dd8739a5785
SHA1c7e48728e5d3caa725892dff1cd9fbc2db0e1c19
SHA25649f13352b1ba97a880c31c92c24f495904371f38588043871dc80538c8ed091c
SHA512ce24c0c0f05272a7be7f09c6e7599d087bd4089f4e22763b3eedb10bb5a4a03b74eeca395ddb142f3e7a52679be910d3eba5ffcc35b8bb1a8e61b26df5bf0c11
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD51ea5dd30ace5d099ffdb863fc12620f6
SHA13ac6642d25d74758316db9e9833860d7c462d397
SHA256a8726b2abc3a77bfad5e161a3d40339a0aa668f1864747404a9d20d00485f880
SHA51233cffc5d25738749ac04a13a342177d538113c838e8e4001bf64df4af44963d580ae16df20caf01d224dd06aea487ddaaa70c6cb8c253d1579abf379a928f45f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD568cfc3e9f8f785da7dcdc7a047174727
SHA1a3b614c2a35918621d81b66c549445b3aca437a4
SHA256c8982156ee9889d5aac7071bd53467fa4c0f23a2820a1d4a1b713675e59899e5
SHA512654be43bee44cc6b5164021e17caae9152a4e3ee81b6f787b6c88129e9f7352ca1a42a49f34f412e58f40377fba3a211477f78b81db7a9a68f24dfd355ac90a2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5bb4190c0e0656386e5c713b1d79fec1a
SHA17e372b73f365147a18b10bc247942f0d49c45104
SHA25662b0512a9f0cd70b008c83843bb365231d14b81b5f2f2cb92cdd5bf8f19cf592
SHA512e2c808de7ef523d290c2be5b4e16cdb27a4d123c68ca58febe17119bf9b106ebc8fe95656b6fdc534f35f37aa94bb0ca2a4a27582f2dfbcd6cd8864e2f263b3b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5950da58d78120a0143d2e23f88455683
SHA10c7c2a5aab3e7406c5c48fc8ccd62829d4cd3d26
SHA256ee23500b4b9e353d7e76bb04cba7fee9b5169176218d2742278b49b9bdeab110
SHA5128420a944397a46ccc50a5f9d40c93e1e8dc55580d23b88e056facdf2efa01388af7dd1faed2200743dd4b6a65ad3fd21611e81e636d2c1ff2a12bf04ef19aa44
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56fae5076cc93c842db382c7ea5072405
SHA1a7e9b6cd23be7fee1248e0a723fb2aae28d39f15
SHA256cdcd2d85c86fb66b980720b997608bf2fc3e3f746b0ce69edac0c3c8fd50afc3
SHA512e969b992d65feaec3b52e25fe5a8dc02d70c9d46abceeab4538e2611555fca88bb3a88de9a37dd01e88adb14c9d00e83e0ec954db2709e08f9088edd44ef53b6
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5fbc7358d486217fa0a2250a4f08dda5d
SHA1529363805a1f06d1d521b50ec8f29a07429a253c
SHA2568de3f7f50dc19ac5bfc266fa6f24e9d69819977fc86a2266ec93903c70424f69
SHA512dc76160771e97862599f0e5bccb4fac347aa50bc6badb32a80e7346776f84c31ddbddbbd45ffefffb7a60cfc0c1de56d1182b816070e34ca049ad33ba0d24cd1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5641b7972146a8d0ada487f29a0eb6f86
SHA1c9546c65e30e9524f3604e4d1e1c0a838bc66b70
SHA256b71858c654f47d77dbba615ba0103f558b3b82ad4c26f201a5370346dae80147
SHA512f52a2a4740f3e4b70ed1fbf4219f1658266d487c6160f409ec0f3044a8358a057c90b5f315453e26d60d3833da34b0cdd485cae4508b483eeea59bf7b3cd3625
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59b899acc2bedbb22c2b30b0d70e1cf72
SHA1bea83388e22d565f1702c83c294f49bc2b377aae
SHA256945a2c57727713cd9a2a1029d0008eb03e5999cb7ea6fb427a88c39bba3eb3a9
SHA512df2739d5175fba00aba89cbc04eb69abf2871c1b4c971b7b8e7047827d65d26af54ab96afcce5ae4de1e7bce9efedb39855be4059e8cc0adf68adfbf1d224b42
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53935e5010987117789ddcab009bf019c
SHA1d6462e05b96f1ad60b27d6ab38df04f1dfd64c3d
SHA256e46bd9e8279294d87bae517b6312db93fec504e8b28971bb6696b50344c57ead
SHA5122a58aa4235bebd1f930d631483d2e1ee81b3201f35547d82487d00dec128ac0237385d7c025f7265d11620694d09d5c802af838465d18b6bf907aea4e9c4816f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c483a7f74b21aab36c4a05d20b5f826d
SHA1e7a8b40ff7c39f01cafbe7b26f247d44d9c78ce0
SHA256a02ca1b8992d45ef3887df36798afbf1e9cbd486ee23f24c9194fc909335779d
SHA512528b3ffc98c9e3fed636cc20a1cd6e927acd4b214d637b5c1219d4763a70f056822cdb95fcb1653947ce595c0cbab3fe01d74aa3535dad6acdf1c45a097cf99c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5477e60f0e56898d288d137fc9f78146a
SHA10f3977df412223caa4d6ef936f16a92845ff9caf
SHA256483d72eb03aabe5259cc311c288ebc81bfe466ecc8581f22557f72e4be425cb4
SHA512d2058bfa695183e147c3df6d1a9cf451226cbff73227dd4018b68a073af72015246c5bf6d853c7f26ad7c1303692bb5c16f4df1fad850da6c8f81dbe69e8b1d3
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e718f185dccda0507d07326d004acdf9
SHA137445d83a8ff69b216ecb59cb7bd460978606f17
SHA2563ebeb5521cc106ee3806ff5058de71c27f4c377158f231cc7a60e7f5784310c4
SHA51204f223f0113116fd14cc9208dd66a0eda66271737c053943aaa0deced702d952c8e13954941a7fdbfcc55bfc42b4f102dc2401de04cfce314e07dd20c2887bf8
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a65bdfb2639cc9dce2b7d79945e430f9
SHA1e8366fbcad395ffa1fcf16781b34dd336024b5ed
SHA2569329ae05d389a4b2475faf729d3ee162563131851b283e8c27869a3a150c1335
SHA512c09285adcd61e1c98d2d614b9ccf275d429c3860725b273d3a435f7d6fcc52a8dcc78c3faf1465d0703cd9101bac1cc70d6518ec2e8a6a286d4ce7e1a265db0d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50b19cbf7cbbf2c9d0f2ed9cd0229152f
SHA1f4f2b9070aec0f7929b3c88fab30f8f526b695fc
SHA256d43b734f430c2bac5e7eba244e2d18dcb8867380a2a07406579f8708b3601ad5
SHA51231eaa3ce4b6f7fdaecf64564ab958755e3c49bbe6447c2c3f66f04f942ba1b3fed016add4c500d2fe8583e5c56f7c22233d318d397621403a0af2d4441c33649
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53531cd505ff891bd50c814b2991369db
SHA1ec57400f3c3089beea4c7924bb615599cf57aa69
SHA256dd41208118bd664fd4fb6958ee630462e143981d514bdad71a8bf3f1bd5faf92
SHA512295ae642abdb12051db86a607eb37f4e86ee13dba1396b3600ca71424807262336e15eeb4d6268de42abb7520ea7491ea03fa050334b3e9d9a2ac238e307e189
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c38596525256d3e038257dce1652d4a2
SHA1181876f19b92aab442908e126044622f07557870
SHA2565bfa304e13a57177a82ca1d54f48036df8db0253ee7c3d2b9726aa1dbd28687a
SHA5121c3bdcb1c51bfbb0dd1442a5f8827566a856b0c139a5544c895c75010150c14eaaa5a7f530783e1d48af82b2681d94d284bd821aaf972e7d50acf315b8e406ad
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5248b65d70093d2ec2b84d00b77031de8
SHA1aff417a2ded9a12083fdb8f27fb9637402bf1a91
SHA2561bfae0950d12fb322508f0460a13deb378bd43ce0e7672ebeaba7f0187845b64
SHA512630518ed664e526d4f83703fd7fe2ce4f83d665b1d2e95df1967785ef11700b7b48768422cb133af46707acef4a7ee41b6b3021e13cb0173518208736b87b9b9
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5cf13f3f397c3d7f75366458a730e9485
SHA17de0e30a0e9703f79eaaa76fad85c6a35f45e558
SHA2562d0d375b48569f839e787c3b26a4b0bcd87b1d883ee2da88b246eb1bde4f30db
SHA51231ada6b058f470d45b88fb0b0b08f38ee4e4e749813258b05f83a572d19f79c40b2816d20e2afb865d792c22df442e15e2cce731a1bdd2d5cdf605a4e40dddee
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5be2b5123c3e61afaea664ba0348c7ad2
SHA11b1a5b87fe31e8e3dd5a45c6b04413a0b3b79a73
SHA256c02227b5b946c07a5e7fbd1a3fdaee44731a55fe62d334469e0862854f250a32
SHA512a349a915ac22ccc101fac29c7547a0af13a0d853c1209bc9e256e334b780e6ad97aaa40305b3d877a250c78402d2c1f6543ecc905535973def526122202fbd44
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50f0e96c860eda0af4be6ca62ac909759
SHA172596bd4e0b6d4665a148db50874b913b87116e2
SHA256003dcefe4f206b3744798d82e02293da7c908c02b429092ba07d6fd9dcfd2063
SHA51245f4f6042c40a5a416cf7aaf765e354d4fc10863827fea9772cf75fba8340596dbf010548e3d406bc858952acadae483101a5b45e7cc87c468ad1ffaf0aca0c0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ee795c0c2f574acf33ca099837c94621
SHA10d5fb35446a016053f8a7b5df7d3b10c3294a6d0
SHA256e4b1baec09537adf9a7d77e696b1d8855b6e2b36efae6905e0ff9f8b19367ef9
SHA51294cd537c6e78670e9c3cc5e9687c6ac1db5ae5eee6d9418e1db8bc8b80530f0373d8d9d1afb09620e0f059fb909c1ab9a166e84f48231a53d662875cc730ebc2
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD519abc1d69e30588beed8204d24d3d283
SHA148130acd2a4df917602e98370af62fd2dd3cc28e
SHA256ac21e1fc22ec20f6e621ef5eba4cbe517b609c5d37c8da1104b627a1fd440cd4
SHA512bd1712803871865185c3f6be4aabc11f86255cdbcc499d1ef0a3cb3abae7b671866a1f00a165c63e3ca7939c08880d6ebcc3b98a0707723264a3065a85cc472a
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5df044c3190743f9032610c5fbcda43f8
SHA12831635895fd374f77d4594f304fa21838be8545
SHA2560e58926b3445b9765860008c8f6a8ff0621960e5a0526595728da232292f002f
SHA512e74780874eb92659cac34c1347c6908e495122c68622d12f91368e6e9797a0dbd97e8820112f5ac159772f4e800bc39c5c8f8e7074bb5179065cdc396084f276
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a931ed1096a95ae8cc93aeb7e4a118b7
SHA128b7ae9c08d8e5e3ee078e7a2b8c07c1436aa7aa
SHA256ad7851670e8427ba60ec8edba9216d36c67384dc83865bdfd0248f3561c7e748
SHA512a44a9ba53c8158b1fc51a7321d2d50e18c4d069c71f4c0a23d8ce06271faeeec2241b0f21fba644f97afae439f309da973d323883f1c900e661050d9f0cf1743
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d6f41cce5886ad2bbb6ce4f6b6463e27
SHA14376851c5ea07608999a239c005b20a94dbaec03
SHA25663e474eda8b9f752d4c60abfd43110a4ea9426d295d56d807c142b49edacfa99
SHA5124ca30e2067671020f06988eaaa594b3a1182e0732c9a8ed0cad86d67d9efc5bd3b581130337c52916d6bcd1da87e54262a29c59168c314f5cacc10d08069c969
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a1b5e6bdbad262322bc6b5b3ebd5710a
SHA128815de128b0336d480190877538d8e829232105
SHA256ca42b9a565127b2e2083d4bf97f3d2684b36d41f032ebb5f14250480f93d37f8
SHA51211ffeb67a8ad6c76e579bffd531514cfeafa2fe398bd25a90ff6a45e99a65e1973d17b99a387bf51f329be2726a6e939c97a4e70de444de4baacb6b5e539e862
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e43435294c971baf53e77db4421f53f0
SHA1cf76bab0362e9f5101ad09e18adc89d7650f3c64
SHA2568c2927cf217ea85c34fd75cf18ac7fb5dc88344c17ecaeef044e4f7d9b5ced36
SHA5122afe670af298309f49c11ba188be64de15d17ecfe7d1e1b77d5cf495a9d51371756e929eccbd53b6776a941da11aab57827394d4dafd0170e5a00832c188f1fb
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5ed7bf45872f30bf0b63011a6653e7d36
SHA10443fdae38699b9fbd48ea79511c03261bc57060
SHA256a31500c7253914f09f33d34a20156b2c7af374b4b7cf057bead65da1655536f0
SHA512185c644a06bfc2844f4fd59b3ef7650582f4b6c86b0b4775632d8b0678ab2923919578c3f9f51f547a68a01887674f38fb1102e7f13ce036fc8e434cdb00cb35
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d433565ce8b3ed4eedfa2c25b98b01c6
SHA1311b82adda5120dc99d6056c1b49c9daaa803f6e
SHA256a0066590c6589b6576cb1af4d19f13d81f53911c9afd51a691576106df0fa3bb
SHA5127f513fd8d484f2a29836f5225fcf79d8e195fe9248bbc3eca9e1f1c674cd8454083a49b77c24a6cd84922f1e5910584b96ecb69305e21fe3ac343359bb0e0999
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD565c1a73e8d24fa24ef8a7894cc8770a7
SHA16e24c0e0dcf933d14d9046f2a7d5f1577dcf64ce
SHA256aeb5b4eb8f91848bde41ee871471946ac919e3e927383df2512bba46344c4bb2
SHA512af30c678880c36c21cee34a39714a31781df84fd0aafb2af454d0ec5bb9023ae8ea3305e76d026b8de3d2de37abcee4bacdc4f27048a8f31e10234d2b8aaacdb
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5808a6f180126a51c1abc5460f2e006f1
SHA141c4249afdb085771e443cfc594f1e7d02a4fafd
SHA256f2e5aa692c9405219f02e7fe989fdd895015c4638b05c92085dcdfb755829e86
SHA512720bb9248d82a64332aab311380c22dec862659830e8b05a1e4992135b86da88f6d29aaf67060f0f7b576d37dcd75a735af4f7899fedbc2b34fc4d72ab178911
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f14099ea9ce4e9b7d0f895baebc28164
SHA1d721fc1b739f9a72eb3d0f2418c94ea081d9ca0b
SHA256574b71d0dfddae709648eedbf8ad3c6d31bc4c58b06346e392a49154fc9f261e
SHA51218f6d29108df5dd2b7afc191025c062c616533063741173168ac9722a3c2e2dc54ea6894604a50a3f75bb138b1dcdf1324c75a25f2eb03ba744edefc42b3376f
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5bc6796b9cd90321a3b853abf086227ca
SHA1250092ef11e9abe32fbcee57dfa2e6c2a58a2f01
SHA25612fd62390d8c654f0577319b0fc287d8961878875a8d5d0d9ebd04481527f607
SHA512523c69c82fac9750b2429b5e90fa594d207b512e0739e457bcd1c1b1c30d85f460635bca93efcbee29e0b4484bf2667950ead242d91931e4afb9dd2ba276c354
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD580a57dbbfd92f39bb28c41b60e92aff7
SHA1249c8171a0deafb30c9930d0032bbf77c52fbd7c
SHA2563dc80dcf4c48014af283aefdd3c008ca026814d826ccc62b0e24b70b5dc71455
SHA512170338f18d676dfdc8a73939a55f1efca09fb3473e980726c399c559611b0f6d2b72a3b933e7ef9313bc7d8ae85c3632021a20d255b9192c6df46f31143dfea5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a727f10c9f0c0bc21d050fc037d4a860
SHA1724bfbae4ed8ca93f68c6cc4aa2a3a7a5b5ae7b3
SHA25623a133612fd6a0f9c54a992f9726ec72610943c46d83c98c6dfe856a0832c30e
SHA512516610be93901937df40e053ed9611c0278288b80a6a0f075ad0c6a17e70053543b12516e0af00d6ad8312a0a2f7577aa58b77599933fbe9c830a226588be1f4
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD578fb1dce9a481830f06b95909d23e94a
SHA142df663b28f5278f832cde8ae7c6f3727db94c89
SHA2560f0748f73aaf207f860a8d8c81660d0e66cc2178a4d4bed299906bf7dc618fea
SHA5121aaa4738751ce819bbfad4c8e4869e9282fde77e2e84dd118bb659a0a9fc12d07f5ee7008e1dc7b1d982bd99a457f9d42a6472a5071e019c30f7b75140c370d4
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d5e77c825e1279dca55e9da01e4fd3df
SHA11cd29fcd56b69ce598f1413723d7ae1da5ac716d
SHA2569a0ae7fe32a7486a543e255791ae4ff0c183fb5d15cb9294d9f2c612990b1556
SHA5124e5b92484f4349f52e0b5b178ad8e5459ee7f702ad4cb1e1746318bb8237e2d55ec7042b2b33ee6389613a32f3d7c1ba17eae46fdbaf66b6fed9be7e35b4b091
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5023015461db65dd0ee56752f659129e4
SHA18d661dcec9a8f849ae52a9b1c6a8f946fefc3ff2
SHA256d13eb28d04870f638761f4f6eab07eec2cc67177bd48beff82415b754dcd1cec
SHA51282661fe44a83487c2c6102737821c103b19f729440ece3fb386a71ee81ddf2e0a864a668078ee2fcb0f17e2a6f84dd8a43f87e372aecada2e4062c1842275b38
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5568a9486b031c7727457b928b0d82828
SHA12d75de07bab365f10d1ea8ad7bf3df15352bd3e7
SHA256a33af04b929222181c5de3abacba03bfe246ee7ab05a7329c7b422108b1a6341
SHA51258cf3bcb53ec022f05bb250cb6648b7a1055b36cd3384682b12b34b226fe212174820756e05bd4f22b0524cfff7a7a7a328dceb1230ed1eba134e040cff3f312
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f2036fc08c863107de207a7f7b17b4a8
SHA118c51523f12596210db19f66f83d395f5ad52829
SHA256850c4ee3a0b917b87d9f60551dab67d616c548ce0193c9079b224900868f7132
SHA5127db9a99f268da752f9fa2fe4ad79b47078f543d920c7e15f0f857efa0c9ae49a61fff29ce9c384f348f646736925e1f65c7291c2a4a78bcde2c890053e9f5ab1
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD59590546ac7ca76e02248665c2963e2a0
SHA163c6abd3b67115a9e65fc72978ed2316dcde0a3d
SHA256485bfd08d96e4dc9ffbdfbc706931b219958a21ae8f80cb2605fb75219c09234
SHA512b1b36ed71bced372b6e75aa9ebead9bedaea43160fbffe9a0f7cda995d524cdc4d394280f880ae11aa08fc96b1194366dd086b9927fc83d9cfcc2e3102f22e89
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e4b9ee55a968bcda76f0afedcbedfd17
SHA1fffa4f83affee90d5ed8f5d9575ef463fcf6c1f0
SHA2563c833c1bca000344c5998fb08a6981cbd084d4ec9c6ce8fad7aae598a4a3265f
SHA512f21aa3d0dfb9f3691d64d47795c64ce723a59549ee510cab85d18e128a7ad2b096361d651d20b6c8977e7336071d00e1e528b054d2964189342d022d81f9c972
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD58f23e965696cb0b6de1a6112550cd5ba
SHA16e6ca311ccf1d4fb8b54a8fd68864c966ceb45c2
SHA2561b41b3dfeff26683da428e6b0b2cab7a49cdda8f198576b65f1d41392d01fcd4
SHA512b4003667df04d2b069efbc3cfae48a5c676e9897fa6acd2eba0a4e16e87d41e79daaf78d8d7c12b5892a37df16061e69737e9063b93e138a8a15b3c58ec867c5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD53444b4c35ec7b7df808c7570143f7093
SHA153dba781b93d08b1a78435551b7f23c2ed19bee2
SHA2569e792c62fa542222b50004428c7fe77ce234ab3a50865e75f65f4d51b132e210
SHA5121e0bddda6a8b6079133cb359295c65fd248e0baad72c7e66b7d4f596d413ef097eb15977c5a1b7dc272bcbece73278c4d6a66a2978da245803236a7b22b4e89d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5655720e6fad984c155e66bca82b9a521
SHA1140887cc5d731568434a1ebb843819be016ec1af
SHA2560da798b7aac55df67d4de5ded962527b0b129892d22992029a449569433440bc
SHA5126f80a7a8b70e0ffa8c19869c8aa7c3fdf0bccee7969bae87db839e23e4a2fe6a0e5a552ef2e4d8ba85742a28d323a01f7bac81c404ed6a6482a8485d356c5cd8
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD56fdb12c326ceb7d24347dbf01aaa40a3
SHA1c2d54289fa6717a39236cb6731a873a75d958d16
SHA256bf1ebeddbb05912787cff807a5a37a99de0abb5dfc6214a0ade118f8f93a42f4
SHA5127ffa3a5990db2fa6a9a9a8e50b9c64b4bb1e7b34aa860de349475643fb10fced71849352b270c1d44d3b3475beaa15522fa49172c277e2adc81b19c8b1eaeb7b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c0e1cd3427219051a27e3c9dba6269eb
SHA1ef80b372f30832e55e6acb1e991d3fb0dfff8c8d
SHA25674de25232367421bd17d3131457bf06d5ab4c09b5b0557d9246055eb91f030dd
SHA512e34ee496fcd8fa390fe243163f7b08e989be1a1ef50cc1472232fdc2668a08ef1a9a855d35f68b44f7814ad4e70727a9850d49cdd37d09829353d6cf4326e561
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD517dcc31513832949aea101930e9e5655
SHA185649887a693a2e9db0a219f7bcd5cc94892222e
SHA2561ed00692149718f33a00faa802d86213ff74e86aba279f2e473567383b88c71a
SHA512e2ea819da5e4d76fbad9ab1ffd9c16a69b7c9e1f905d7f35a65f01d30e4f19a1e7f4782ddce50142901f9ed174be72e0cc19aad9d6d8a92113dd60fcac2ba7ac
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5cc87f698ee9f3a1cf5b9c059116178b1
SHA1ab90e12ef472c64fa6d355ffee2b27d600abc8cd
SHA256d0e19c9a19be5b7bb7908f06f08f402c26aabc86bbbcc87c6629a74249cce4ed
SHA5127b3efbd23ab1f6b4f38ba72cfb41be06c79df018d13971acab759e09651aa1059fafd34d915ca16767808873906e2894c4ada75b8d99d9d3b165587f3f502268
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD584c7e19d06e4490fb5c88d01f260b224
SHA10b0ef3700d25be370593c48a61bf2f1d8fa74657
SHA2568d9a4bf9448dbe3d5a40f00ed98b45d4cd2e860ca91b479766e17b80b21bfa3d
SHA51224e1960aa5155215121b88a555cf6258b8b25ad69662f2b9544945ba2386a9b016decc353b5bb635ba0a53826fec6e14c7fd925081762d29641ffde0f7dc22c9
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d757451f3159215e71ea2fe3628bacdf
SHA1552b43fefec9bbb691807bccd46641fe0b0a8806
SHA256b79895bb2ab45555ef7d3c20ec775d05c74d273d80948b257f0d7b5cd0f6c4d2
SHA5129bac49a2ae31efa40064611d884c2afe18299121ae1e8c1bd3664f52939a73da90ebafdfa014e2217aee16607f370ee8e8fd733689eb6615e14e317f819a847b
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5c8de3d3b1b95f99f92e5931ec8e3f6c6
SHA18bbfadbb6d364f46e99b091d597089952a27af68
SHA2566394125f427ea4feb4513dd8755690f1205ea3e09fc65863c61596dfd0da0794
SHA512a5afec5df57a044b77903cacb69f320fc9bcc682fedad421c760d40c86a07e7051ac80124a7474c8e6d69fd5aa23b4dd43796aecc45b86e6bd6a9217f0ed7bda
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD50fce03e0a31009e07193fa5db94432dd
SHA15eb9ec8a789498defe2ba1bfaa1928ea77465f04
SHA25685500de5d03e2141de51d2e0af9480ebaab79ec33cc07df33f20d1a1be63bb50
SHA512eeee88b6d752713df5bb41fe2f8d5e5cc6a97463d06df6da16ae6add5dcd8e7859f194d5a5d16486ba7f8ce8a6229e78d2d2f779299d1acb9991ae0d808d03c0
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a01ca325435e68c301b2e5d2fe3e1493
SHA1a340a5955b4881009da033ddcb828babc4c17a42
SHA256acda2a4d448d7d2719898b03d103add8dc1c8e34c8cd51931a63f55decda9a18
SHA512f22c88c33c3203c5025046d0e16fd8361a482705b39aedcda7e03e16562b9007c0a80cf13cfd462d7f094ec7d83846c86df4dc687f8f04224b2cef97555da559
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5d13b56911ee1e72170282d1961488232
SHA10bc6b0c52104ac5c133cd42cff8ecab701b767c7
SHA2569ccf71bdb4ffe33d74d9d9a04941208316b82e680ca2040c037fd50218693d34
SHA5129f3c4ea91239b1a5d833005c7f6f30c2ac8ba845c8f276e631c4c6ef0d33c0747820661ff748ed3bb1405e03df86459972bcd085e1389cfbe0e48d151284c0fd
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5762e9a711ef87507d32c6b9a8b283488
SHA1e371f4911d58f751d90325169280a2fcb439eafc
SHA25662c1f8b572c093b625868d282690dd69c35ab9888af6238aa5d35245ce575b1f
SHA51272380656ffed77982088589af3c54a5cec3502d9d9acf33001181ecd6135ae2eac7ec41023dafd50ba3ceaf5f65703bebfc24f7fd9c75ab948d2e9bd77986d3c
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5e094a1189e33629013b4b2a0882982e2
SHA14c351cb91aa538b08518648851c6e53db0871152
SHA256c8052a84fadc54cb2f22422968323c92e94b578391c06f8fa6a5a2ea0519a33b
SHA5121a08bc74b7a08ebaad0060bed6bb3750e9c8997b59d1282985a454ea16888951404ad0b2d9628703c9c9968d9b558e88407fad07f503b15d3ebf32ba2d5d7606
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD568da95f462ea5f1aca1b125e83f193f0
SHA1b23d3ae048960242fce4e4df67e899724f32ba72
SHA256cd78adc10d9e2041b3bba357fe139e830f36923106850f893890f0704d17ce57
SHA512d8b24f31291e1848a48ed9810294c0b3560d849236d90e8c609a16e38ab2de25141a5d3ebbe416b75281ed1f277d99ed0337f623cd3309b9ed70573d935df337
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f6f505efc33497a14b03c26d4bc1b11b
SHA1c2a8213ec9af0d3cc18525455ab017748ed52fe9
SHA256b5863b90449f1d3fa0631df7108e66fb2c2d4b1188051e9f63a28906e841097b
SHA512374cecac2dd62f527c03e12a05c2cc92a0422596478d0c8e16b1a519fcfa6f34239fc1574a0cc37e03cbb917c3476654038d5f557093b991d0777145a228b8d5
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5a7fee94e69f931250c09b2fa98d79c16
SHA196fb036ed614006e1c0cb75efb5b3c42b5bf1c17
SHA25634331594d1c09abe6e713cfd5b10c2367f2cb56ca69d6c95cf10e528a1b5d090
SHA51209b8ae9dd90a127ded23182adb5abd8372fb68bb0a95bf94e0d8b48df0172a96c0de1ac03af84032474b6962e2e628cc74e78182a9efce331540e5719fa00376
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5b7823613864378c7290b857721dc0641
SHA10aff63f103a05cbbf913ec4e94fe94543249e86b
SHA256832b111e1fd56e747f9e40a90d7ae0f25f39144fe42b973e281c557295f7139e
SHA512d13e9017587e9055e7b3f1da230529eb2609d2d8eec48774e73b2bdf71a11ddda7dc778a059d0b14e49c6d970dd2a7b4663bdac53b9512539821c6a2a4007989
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD54711d8360138bfcfb3c39031120b15c1
SHA14c272ca1a0be6e11faa264a28bc0e1e1c8f7d3a2
SHA25644e2e12e7c5b4dbbaa4bcc6f3551d2d7c2489b5ff57f1cc5944f1e0d684d935e
SHA5123a8fbce00a0f54be00f5fa707fa3fa1df3ea166554ecf2b0e92f8da3b10ba69705ba355f1f114524d96811e34d3fa6024054a7dad006ca44a1985766a0470b10
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD5f1fbcf8e75ab86400a3a09af0e12ef0d
SHA12e3cff9eea4fb6ee8292a2a17b6a8ee07aed7a79
SHA2567d39d2294166d69284ef82a3ebac3fd89986323a092265746fa2a030d3e18697
SHA512cad7941dad3c358987eccdd86c8fdeb198d5eb739357fafe68034d8493ed85f8ebb1eb78aa624cb1a2bc3b3a4bc1640bffb1f1f8267e601931d984084dbb0f6d
-
C:\Users\Admin\AppData\Local\Temp\XxX.xXxFilesize
8B
MD52cfc5e0d2d3db69daab3276a04cba6e4
SHA1519684ac86956bedba0ee7824871fe6ccebf1c10
SHA2561857e28624ada2fd790fa3e3c6bf42d167f690586c476ec1e803125bf3c8006a
SHA512e3ee598d80eb4550f2cf1ce57aef1fb6514aeab6b41082ec9a1fb964d858040e8262aef4da84caaccf0684d0712f93adf2c8f30e59002ffdb51a01f14a608eb1
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
C:\Windows\SysWOW64\windows.exeFilesize
438KB
MD530f15dfc6201a6efb9a1747b4bc7bd53
SHA11093f2274d5e34edf790d85aa90a91973d294058
SHA256a960fdcea40da51143229425cd1d6f7761d3ec948ae778868002d7d22ae49643
SHA51202a6fe125b63b4746fba9d7960c01f4332b596a677c4d3e76d96589ba8ee9a6dac4a5b1c08ba25fdf1a4e41184f5592f4b22f9ff40322d2cb0ceeabc1b480798
-
memory/1988-138-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/1988-151-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/2244-362-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/2340-216-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4060-10-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4060-7-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4060-22-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4060-3-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4060-12-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4060-15-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4060-18-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/4060-9-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4060-8-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4060-4-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4432-2-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4432-0-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4432-14-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4432-1-0x000000000046B000-0x0000000000473000-memory.dmpFilesize
32KB
-
memory/4468-94-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB
-
memory/4536-24-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB
-
memory/4536-23-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/4536-84-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4536-202-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4680-112-0x0000000000400000-0x000000000048F000-memory.dmpFilesize
572KB