agenttesla | 06b9ec5bcbddaf19ad375e5f7216b7fbcc0a854867d301a2e13b683b5908ec6c

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe
Size

382KB
MD5

daba34ee91d71e27825d0e34dca5aa1c
SHA1

e18bb4bbf084e39d8f12765bdeefee694783a55b
SHA256

06b9ec5bcbddaf19ad375e5f7216b7fbcc0a854867d301a2e13b683b5908ec6c
SHA512

dcfe1b3d05a1ac88929d96478e02c235c66b900c5a52a470aeb0b922ba0f671f7980a205ba791c09eecbdb9e93e51afe76447462ec6d4d53987719de12a944dc
SSDEEP

6144:3K6g8ITLkw7HKIBHyFguPnPZZWzPLSQjMrNabcgM8u5hOVHrK/C62wRi/KEmz7ao:3KLkw2i4L3ZiCr4bcgMLOVHma7ipKo

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
server252.web-hosting.com
Port:
587
Username:
[email protected]
Password:
)nf%CWKJ[FaW

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/4908-41-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	nZqhVHCwzXpXRKSJma5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	nZqhVHCwzXpXRKSJma5.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	nZqhVHCwzXpXRKSJma5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	nZqhVHCwzXpXRKSJma5.exe

Executes dropped EXE 64 IoCs

pid	Process
4316	nZqhVHCwzXpXRKSJma5.exe
2144	nZqhVHCwzXpXRKSJma5.exe
4720	nZqhVHCwzXpXRKSJma5.exe
4600	nZqhVHCwzXpXRKSJma5.exe
3168	nZqhVHCwzXpXRKSJma5.exe
2244	nZqhVHCwzXpXRKSJma5.exe
4312	nZqhVHCwzXpXRKSJma5.exe
4840	nZqhVHCwzXpXRKSJma5.exe
3308	nZqhVHCwzXpXRKSJma5.exe
2944	nZqhVHCwzXpXRKSJma5.exe
800	nZqhVHCwzXpXRKSJma5.exe
1488	nZqhVHCwzXpXRKSJma5.exe
1468	nZqhVHCwzXpXRKSJma5.exe
3424	nZqhVHCwzXpXRKSJma5.exe
4556	nZqhVHCwzXpXRKSJma5.exe
2388	nZqhVHCwzXpXRKSJma5.exe
3628	nZqhVHCwzXpXRKSJma5.exe
2172	nZqhVHCwzXpXRKSJma5.exe
1732	nZqhVHCwzXpXRKSJma5.exe
2108	nZqhVHCwzXpXRKSJma5.exe
936	nZqhVHCwzXpXRKSJma5.exe
4432	nZqhVHCwzXpXRKSJma5.exe
3932	nZqhVHCwzXpXRKSJma5.exe
3676	nZqhVHCwzXpXRKSJma5.exe
3972	nZqhVHCwzXpXRKSJma5.exe
2416	nZqhVHCwzXpXRKSJma5.exe
4128	nZqhVHCwzXpXRKSJma5.exe
2516	nZqhVHCwzXpXRKSJma5.exe
1896	nZqhVHCwzXpXRKSJma5.exe
3332	nZqhVHCwzXpXRKSJma5.exe
4948	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
3632	nZqhVHCwzXpXRKSJma5.exe
3976	nZqhVHCwzXpXRKSJma5.exe
1708	nZqhVHCwzXpXRKSJma5.exe
1080	nZqhVHCwzXpXRKSJma5.exe
2816	nZqhVHCwzXpXRKSJma5.exe
3504	nZqhVHCwzXpXRKSJma5.exe
4856	nZqhVHCwzXpXRKSJma5.exe
408	nZqhVHCwzXpXRKSJma5.exe
4984	nZqhVHCwzXpXRKSJma5.exe
4764	nZqhVHCwzXpXRKSJma5.exe
1984	nZqhVHCwzXpXRKSJma5.exe
1900	nZqhVHCwzXpXRKSJma5.exe
3332	nZqhVHCwzXpXRKSJma5.exe
4772	nZqhVHCwzXpXRKSJma5.exe
4380	nZqhVHCwzXpXRKSJma5.exe
2172	nZqhVHCwzXpXRKSJma5.exe
2744	nZqhVHCwzXpXRKSJma5.exe
3832	nZqhVHCwzXpXRKSJma5.exe
556	nZqhVHCwzXpXRKSJma5.exe
3232	nZqhVHCwzXpXRKSJma5.exe
5068	nZqhVHCwzXpXRKSJma5.exe
548	nZqhVHCwzXpXRKSJma5.exe
3456	nZqhVHCwzXpXRKSJma5.exe
3672	nZqhVHCwzXpXRKSJma5.exe
3980	nZqhVHCwzXpXRKSJma5.exe
4448	nZqhVHCwzXpXRKSJma5.exe
3544	nZqhVHCwzXpXRKSJma5.exe
3876	nZqhVHCwzXpXRKSJma5.exe
112	nZqhVHCwzXpXRKSJma5.exe
4848	nZqhVHCwzXpXRKSJma5.exe
4296	nZqhVHCwzXpXRKSJma5.exe
956	nZqhVHCwzXpXRKSJma5.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 4908	4316	nZqhVHCwzXpXRKSJma5.exe	94
PID 2144 set thread context of 4552	2144	nZqhVHCwzXpXRKSJma5.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2252	4720	WerFault.exe	104
1928	4600	WerFault.exe	108
5080	3168	WerFault.exe	111
232	2244	WerFault.exe	114
3504	4312	WerFault.exe	117
3584	4840	WerFault.exe	120
4560	3308	WerFault.exe	123
3952	2944	WerFault.exe	126
1376	800	WerFault.exe	129
5108	1488	WerFault.exe	132
3936	1468	WerFault.exe	135
5020	3424	WerFault.exe	138
4072	4556	WerFault.exe	141
3612	2388	WerFault.exe	144
2528	3628	WerFault.exe	147
1444	2172	WerFault.exe	150
4188	1732	WerFault.exe	153
4600	2108	WerFault.exe	156
960	936	WerFault.exe	159
2780	4432	WerFault.exe	162
964	3932	WerFault.exe	165
4840	3676	WerFault.exe	168
2156	3972	WerFault.exe	171
4472	2416	WerFault.exe	174
1376	4128	WerFault.exe	177
3536	2516	WerFault.exe	182
2276	1896	WerFault.exe	185
2940	3332	WerFault.exe	188
376	4948	WerFault.exe	191
3620	2528	WerFault.exe	195
1840	3632	WerFault.exe	198
4992	3976	WerFault.exe	201
3200	1708	WerFault.exe	204
4228	1080	WerFault.exe	207
3940	2816	WerFault.exe	210
4068	3504	WerFault.exe	213
4308	4856	WerFault.exe	216
2944	408	WerFault.exe	219
1376	4984	WerFault.exe	223
3028	4764	WerFault.exe	226
4360	1984	WerFault.exe	229
1236	1900	WerFault.exe	232
2388	3332	WerFault.exe	235
4368	4772	WerFault.exe	238
1956	4380	WerFault.exe	241
4188	2172	WerFault.exe	244
4320	2744	WerFault.exe	247
964	3832	WerFault.exe	252
3504	556	WerFault.exe	255
4856	3232	WerFault.exe	258
4516	5068	WerFault.exe	261
3844	548	WerFault.exe	264
3028	3456	WerFault.exe	267
1736	3672	WerFault.exe	270
1820	3980	WerFault.exe	273
3372	4448	WerFault.exe	276
3624	3544	WerFault.exe	279
2608	3876	WerFault.exe	282
4280	112	WerFault.exe	285
4100	4848	WerFault.exe	288
964	4296	WerFault.exe	291
3504	956	WerFault.exe	294
2540	2644	WerFault.exe	297
4468	3944	WerFault.exe	300

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2144	nZqhVHCwzXpXRKSJma5.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4316	nZqhVHCwzXpXRKSJma5.exe
4316	nZqhVHCwzXpXRKSJma5.exe
2144	nZqhVHCwzXpXRKSJma5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4316	nZqhVHCwzXpXRKSJma5.exe
Token: SeDebugPrivilege	2144	nZqhVHCwzXpXRKSJma5.exe
Token: SeDebugPrivilege	4908	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4908	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 4316	3408	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	84
PID 3408 wrote to memory of 4316	3408	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	84
PID 3408 wrote to memory of 4316	3408	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	84
PID 4316 wrote to memory of 2156	4316	nZqhVHCwzXpXRKSJma5.exe	86
PID 4316 wrote to memory of 2156	4316	nZqhVHCwzXpXRKSJma5.exe	86
PID 4316 wrote to memory of 2156	4316	nZqhVHCwzXpXRKSJma5.exe	86
PID 2156 wrote to memory of 4780	2156	csc.exe	89
PID 2156 wrote to memory of 4780	2156	csc.exe	89
PID 2156 wrote to memory of 4780	2156	csc.exe	89
PID 4316 wrote to memory of 2300	4316	nZqhVHCwzXpXRKSJma5.exe	90
PID 4316 wrote to memory of 2300	4316	nZqhVHCwzXpXRKSJma5.exe	90
PID 4316 wrote to memory of 2300	4316	nZqhVHCwzXpXRKSJma5.exe	90
PID 2300 wrote to memory of 3952	2300	csc.exe	92
PID 2300 wrote to memory of 3952	2300	csc.exe	92
PID 2300 wrote to memory of 3952	2300	csc.exe	92
PID 4316 wrote to memory of 3640	4316	nZqhVHCwzXpXRKSJma5.exe	93
PID 4316 wrote to memory of 3640	4316	nZqhVHCwzXpXRKSJma5.exe	93
PID 4316 wrote to memory of 3640	4316	nZqhVHCwzXpXRKSJma5.exe	93
PID 4316 wrote to memory of 4908	4316	nZqhVHCwzXpXRKSJma5.exe	94
PID 4316 wrote to memory of 4908	4316	nZqhVHCwzXpXRKSJma5.exe	94
PID 4316 wrote to memory of 4908	4316	nZqhVHCwzXpXRKSJma5.exe	94
PID 4316 wrote to memory of 4908	4316	nZqhVHCwzXpXRKSJma5.exe	94
PID 4316 wrote to memory of 2144	4316	nZqhVHCwzXpXRKSJma5.exe	96
PID 4316 wrote to memory of 2144	4316	nZqhVHCwzXpXRKSJma5.exe	96
PID 4316 wrote to memory of 2144	4316	nZqhVHCwzXpXRKSJma5.exe	96
PID 2144 wrote to memory of 436	2144	nZqhVHCwzXpXRKSJma5.exe	97
PID 2144 wrote to memory of 436	2144	nZqhVHCwzXpXRKSJma5.exe	97
PID 2144 wrote to memory of 436	2144	nZqhVHCwzXpXRKSJma5.exe	97
PID 436 wrote to memory of 5108	436	csc.exe	99
PID 436 wrote to memory of 5108	436	csc.exe	99
PID 436 wrote to memory of 5108	436	csc.exe	99
PID 2144 wrote to memory of 5032	2144	nZqhVHCwzXpXRKSJma5.exe	100
PID 2144 wrote to memory of 5032	2144	nZqhVHCwzXpXRKSJma5.exe	100
PID 2144 wrote to memory of 5032	2144	nZqhVHCwzXpXRKSJma5.exe	100
PID 5032 wrote to memory of 2652	5032	csc.exe	102
PID 5032 wrote to memory of 2652	5032	csc.exe	102
PID 5032 wrote to memory of 2652	5032	csc.exe	102
PID 2144 wrote to memory of 4552	2144	nZqhVHCwzXpXRKSJma5.exe	103
PID 2144 wrote to memory of 4552	2144	nZqhVHCwzXpXRKSJma5.exe	103
PID 2144 wrote to memory of 4552	2144	nZqhVHCwzXpXRKSJma5.exe	103
PID 2144 wrote to memory of 4552	2144	nZqhVHCwzXpXRKSJma5.exe	103
PID 2144 wrote to memory of 4720	2144	nZqhVHCwzXpXRKSJma5.exe	104
PID 2144 wrote to memory of 4720	2144	nZqhVHCwzXpXRKSJma5.exe	104
PID 2144 wrote to memory of 4720	2144	nZqhVHCwzXpXRKSJma5.exe	104
PID 2144 wrote to memory of 4600	2144	nZqhVHCwzXpXRKSJma5.exe	108
PID 2144 wrote to memory of 4600	2144	nZqhVHCwzXpXRKSJma5.exe	108
PID 2144 wrote to memory of 4600	2144	nZqhVHCwzXpXRKSJma5.exe	108
PID 2144 wrote to memory of 3168	2144	nZqhVHCwzXpXRKSJma5.exe	111
PID 2144 wrote to memory of 3168	2144	nZqhVHCwzXpXRKSJma5.exe	111
PID 2144 wrote to memory of 3168	2144	nZqhVHCwzXpXRKSJma5.exe	111
PID 2144 wrote to memory of 2244	2144	nZqhVHCwzXpXRKSJma5.exe	114
PID 2144 wrote to memory of 2244	2144	nZqhVHCwzXpXRKSJma5.exe	114
PID 2144 wrote to memory of 2244	2144	nZqhVHCwzXpXRKSJma5.exe	114
PID 2144 wrote to memory of 4312	2144	nZqhVHCwzXpXRKSJma5.exe	117
PID 2144 wrote to memory of 4312	2144	nZqhVHCwzXpXRKSJma5.exe	117
PID 2144 wrote to memory of 4312	2144	nZqhVHCwzXpXRKSJma5.exe	117
PID 2144 wrote to memory of 4840	2144	nZqhVHCwzXpXRKSJma5.exe	120
PID 2144 wrote to memory of 4840	2144	nZqhVHCwzXpXRKSJma5.exe	120
PID 2144 wrote to memory of 4840	2144	nZqhVHCwzXpXRKSJma5.exe	120
PID 2144 wrote to memory of 3308	2144	nZqhVHCwzXpXRKSJma5.exe	123
PID 2144 wrote to memory of 3308	2144	nZqhVHCwzXpXRKSJma5.exe	123
PID 2144 wrote to memory of 3308	2144	nZqhVHCwzXpXRKSJma5.exe	123
PID 2144 wrote to memory of 2944	2144	nZqhVHCwzXpXRKSJma5.exe	126
PID 2144 wrote to memory of 2944	2144	nZqhVHCwzXpXRKSJma5.exe	126

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\leorlxcr\leorlxcr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CA2.tmp" "c:\Users\Admin\AppData\Local\Temp\leorlxcr\CSC315630C795AF410A81C9B45372CB19FC.TMP"
      4⤵
      PID:4780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hclcgu4t\hclcgu4t.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D6D.tmp" "c:\Users\Admin\AppData\Local\Temp\hclcgu4t\CSCEF736D98D42F4579A6DA9D356F7588.TMP"
      4⤵
      PID:3952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:4908
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qlbzqt0c\qlbzqt0c.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84C0.tmp" "c:\Users\Admin\AppData\Local\Temp\qlbzqt0c\CSCD2EF96C690564CAAACC1F83ACD5BED68.TMP"
        5⤵
        
        PID:5108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\34qca5p3\34qca5p3.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8618.tmp" "c:\Users\Admin\AppData\Local\Temp\34qca5p3\CSC60842E8295FA4308985B5C38737135BE.TMP"
        5⤵
        
        PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 964
        5⤵
        Program crash
        
        PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 964
        5⤵
        Program crash
        
        PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 956
        5⤵
        Program crash
        
        PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 940
        5⤵
        Program crash
        
        PID:232
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 964
        5⤵
        Program crash
        
        PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 940
        5⤵
        Program crash
        
        PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 944
        5⤵
        Program crash
        
        PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2944
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 940
        5⤵
        Program crash
        
        PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 940
        5⤵
        Program crash
        
        PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:1488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 940
        5⤵
        Program crash
        
        PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 940
        5⤵
        Program crash
        
        PID:3936
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 940
        5⤵
        Program crash
        
        PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 956
        5⤵
        Program crash
        
        PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 940
        5⤵
        Program crash
        
        PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 940
        5⤵
        Program crash
        
        PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 944
        5⤵
        Program crash
        
        PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:1732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 944
        5⤵
        Program crash
        
        PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 940
        5⤵
        Program crash
        
        PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 940
        5⤵
        Program crash
        
        PID:960
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 940
        5⤵
        Program crash
        
        PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 948
        5⤵
        Program crash
        
        PID:964
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 940
        5⤵
        Program crash
        
        PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 940
        5⤵
        Program crash
        
        PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2416
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 940
        5⤵
        Program crash
        
        PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 944
        5⤵
        Program crash
        
        PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 944
        5⤵
        Program crash
        
        PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:1896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 940
        5⤵
        Program crash
        
        PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 940
        5⤵
        Program crash
        
        PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 940
        5⤵
        Program crash
        
        PID:376
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 944
        5⤵
        Program crash
        
        PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 940
        5⤵
        Program crash
        
        PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 940
        5⤵
        Program crash
        
        PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:1708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 940
        5⤵
        Program crash
        
        PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:1080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 940
        5⤵
        Program crash
        
        PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 940
        5⤵
        Program crash
        
        PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 964
        5⤵
        Program crash
        
        PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 940
        5⤵
        Program crash
        
        PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 944
        5⤵
        Program crash
        
        PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 940
        5⤵
        Program crash
        
        PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4764
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 964
        5⤵
        Program crash
        
        PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:1984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 940
        5⤵
        Program crash
        
        PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1900
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 964
        5⤵
        Program crash
        
        PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 948
        5⤵
        Program crash
        
        PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 964
        5⤵
        Program crash
        
        PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 940
        5⤵
        Program crash
        
        PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 940
        5⤵
        Program crash
        
        PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:2744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 948
        5⤵
        Program crash
        
        PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 940
        5⤵
        Program crash
        
        PID:964
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 944
        5⤵
        Program crash
        
        PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 940
        5⤵
        Program crash
        
        PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:5068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 940
        5⤵
        Program crash
        
        PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 940
        5⤵
        Program crash
        
        PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 948
        5⤵
        Program crash
        
        PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 940
        5⤵
        Program crash
        
        PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 940
        5⤵
        Program crash
        
        PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 964
        5⤵
        Program crash
        
        PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 940
        5⤵
        Program crash
        
        PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:3876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 940
        5⤵
        Program crash
        
        PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 940
        5⤵
        Program crash
        
        PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 948
        5⤵
        Program crash
        
        PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:4296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 944
        5⤵
        Program crash
        
        PID:964
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      PID:956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 940
        5⤵
        Program crash
        
        PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 948
        5⤵
        Program crash
        
        PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3944
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 940
        5⤵
        Program crash
        
        PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 956
        5⤵
        
        PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:5108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 940
        5⤵
        
        PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2276
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 940
        5⤵
        
        PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 948
        5⤵
        
        PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 940
        5⤵
        
        PID:760
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 948
        5⤵
        
        PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 940
        5⤵
        
        PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 940
        5⤵
        
        PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 940
        5⤵
        
        PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 940
        5⤵
        
        PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 952
        5⤵
        
        PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 940
        5⤵
        
        PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 964
        5⤵
        
        PID:3708
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 948
        5⤵
        
        PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 940
        5⤵
        
        PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 948
        5⤵
        
        PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 964
        5⤵
        
        PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 952
        5⤵
        
        PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 944
        5⤵
        
        PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 944
        5⤵
        
        PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 940
        5⤵
        
        PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 948
        5⤵
        
        PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 940
        5⤵
        
        PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 940
        5⤵
        
        PID:516
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 940
        5⤵
        
        PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 964
        5⤵
        
        PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 940
        5⤵
        
        PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 940
        5⤵
        
        PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 944
        5⤵
        
        PID:372
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 940
        5⤵
        
        PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 940
        5⤵
        
        PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 940
        5⤵
        
        PID:800
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 940
        5⤵
        
        PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 940
        5⤵
        
        PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 940
        5⤵
        
        PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 964
        5⤵
        
        PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 940
        5⤵
        
        PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 940
        5⤵
        
        PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 940
        5⤵
        
        PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 944
        5⤵
        
        PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 940
        5⤵
        
        PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 948
        5⤵
        
        PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 952
        5⤵
        
        PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 948
        5⤵
        
        PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 940
        5⤵
        
        PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 964
        5⤵
        
        PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 964
        5⤵
        
        PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 940
        5⤵
        
        PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 940
        5⤵
        
        PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 944
        5⤵
        
        PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 940
        5⤵
        
        PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 948
        5⤵
        
        PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 964
        5⤵
        
        PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 948
        5⤵
        
        PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 952
        5⤵
        
        PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 944
        5⤵
        
        PID:756
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1900
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 940
        5⤵
        
        PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:5056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 940
        5⤵
        
        PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 944
        5⤵
        
        PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 948
        5⤵
        
        PID:376
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 944
        5⤵
        
        PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 940
        5⤵
        
        PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 948
        5⤵
        
        PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1284
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 940
        5⤵
        
        PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 940
        5⤵
        
        PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 948
        5⤵
        
        PID:712
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 940
        5⤵
        
        PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 940
        5⤵
        
        PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 948
        5⤵
        
        PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 948
        5⤵
        
        PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 940
        5⤵
        
        PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 944
        5⤵
        
        PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 940
        5⤵
        
        PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 948
        5⤵
        
        PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1360
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 944
        5⤵
        
        PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 940
        5⤵
        
        PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 940
        5⤵
        
        PID:928
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 940
        5⤵
        
        PID:516
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 940
        5⤵
        
        PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 940
        5⤵
        
        PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 940
        5⤵
        
        PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 944
        5⤵
        
        PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 944
        5⤵
        
        PID:760
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 944
        5⤵
        
        PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 964
        5⤵
        
        PID:756
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 940
        5⤵
        
        PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 940
        5⤵
        
        PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 964
        5⤵
        
        PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 940
        5⤵
        
        PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 940
        5⤵
        
        PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 948
        5⤵
        
        PID:432
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 940
        5⤵
        
        PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 940
        5⤵
        
        PID:956
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 940
        5⤵
        
        PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 940
        5⤵
        
        PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 944
        5⤵
        
        PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 944
        5⤵
        
        PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 940
        5⤵
        
        PID:912
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 956
        5⤵
        
        PID:768
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 940
        5⤵
        
        PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 948
        5⤵
        
        PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 964
        5⤵
        
        PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 940
        5⤵
        
        PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 940
        5⤵
        
        PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 940
        5⤵
        
        PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 940
        5⤵
        
        PID:3632
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 940
        5⤵
        
        PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 944
        5⤵
        
        PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 940
        5⤵
        
        PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 944
        5⤵
        
        PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 940
        5⤵
        
        PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 940
        5⤵
        
        PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 952
        5⤵
        
        PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 940
        5⤵
        
        PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 940
        5⤵
        
        PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 964
        5⤵
        
        PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 944
        5⤵
        
        PID:632
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 944
        5⤵
        
        PID:908
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 940
        5⤵
        
        PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 940
        5⤵
        
        PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 964
        5⤵
        
        PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 940
        5⤵
        
        PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 952
        5⤵
        
        PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 940
        5⤵
        
        PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 940
        5⤵
        
        PID:348
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 940
        5⤵
        
        PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 940
        5⤵
        
        PID:452
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4476
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 948
        5⤵
        
        PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 940
        5⤵
        
        PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 940
        5⤵
        
        PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 944
        5⤵
        
        PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 940
        5⤵
        
        PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 948
        5⤵
        
        PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 944
        5⤵
        
        PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 944
        5⤵
        
        PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 940
        5⤵
        
        PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2764
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 940
        5⤵
        
        PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 940
        5⤵
        
        PID:928
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 948
        5⤵
        
        PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 964
        5⤵
        
        PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 940
        5⤵
        
        PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 948
        5⤵
        
        PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 940
        5⤵
        
        PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 940
        5⤵
        
        PID:912
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 940
        5⤵
        
        PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 940
        5⤵
        
        PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 940
        5⤵
        
        PID:756
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 940
        5⤵
        
        PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 940
        5⤵
        
        PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 944
        5⤵
        
        PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 940
        5⤵
        
        PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 956
        5⤵
        
        PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 940
        5⤵
        
        PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:5004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 940
        5⤵
        
        PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 940
        5⤵
        
        PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4056
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 940
        5⤵
        
        PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 940
        5⤵
        
        PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 948
        5⤵
        
        PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 940
        5⤵
        
        PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 948
        5⤵
        
        PID:912
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 940
        5⤵
        
        PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 940
        5⤵
        
        PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 940
        5⤵
        
        PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 948
        5⤵
        
        PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 940
        5⤵
        
        PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 940
        5⤵
        
        PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:5092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 940
        5⤵
        
        PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 944
        5⤵
        
        PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 940
        5⤵
        
        PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 940
        5⤵
        
        PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 940
        5⤵
        
        PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 956
        5⤵
        
        PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 940
        5⤵
        
        PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 940
        5⤵
        
        PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 952
        5⤵
        
        PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 940
        5⤵
        
        PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:944
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 948
        5⤵
        
        PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3812
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 948
        5⤵
        
        PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 940
        5⤵
        
        PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 940
        5⤵
        
        PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 940
        5⤵
        
        PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 940
        5⤵
        
        PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 952
        5⤵
        
        PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 940
        5⤵
        
        PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 940
        5⤵
        
        PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 940
        5⤵
        
        PID:964
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 944
        5⤵
        
        PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 964
        5⤵
        
        PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 956
        5⤵
        
        PID:116
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 944
        5⤵
        
        PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 940
        5⤵
        
        PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 940
        5⤵
        
        PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 948
        5⤵
        
        PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 940
        5⤵
        
        PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 940
        5⤵
        
        PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 940
        5⤵
        
        PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 956
        5⤵
        
        PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:5088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 940
        5⤵
        
        PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 940
        5⤵
        
        PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 940
        5⤵
        
        PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 940
        5⤵
        
        PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 940
        5⤵
        
        PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 948
        5⤵
        
        PID:3388
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2764
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 948
        5⤵
        
        PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 940
        5⤵
        
        PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 952
        5⤵
        
        PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 940
        5⤵
        
        PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 940
        5⤵
        
        PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 940
        5⤵
        
        PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 940
        5⤵
        
        PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 940
        5⤵
        
        PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 940
        5⤵
        
        PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 940
        5⤵
        
        PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 940
        5⤵
        
        PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 940
        5⤵
        
        PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 964
        5⤵
        
        PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 948
        5⤵
        
        PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 940
        5⤵
        
        PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 964
        5⤵
        
        PID:3212
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3764
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 940
        5⤵
        
        PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 948
        5⤵
        
        PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 940
        5⤵
        
        PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 940
        5⤵
        
        PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 940
        5⤵
        
        PID:928
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 964
        5⤵
        
        PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 940
        5⤵
        
        PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 940
        5⤵
        
        PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 940
        5⤵
        
        PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 944
        5⤵
        
        PID:912
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 964
        5⤵
        
        PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 940
        5⤵
        
        PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 948
        5⤵
        
        PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 948
        5⤵
        
        PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 940
        5⤵
        
        PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 940
        5⤵
        
        PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 940
        5⤵
        
        PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:1836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 944
        5⤵
        
        PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 940
        5⤵
        
        PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 948
        5⤵
        
        PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 940
        5⤵
        
        PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 948
        5⤵
        
        PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 940
        5⤵
        
        PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 940
        5⤵
        
        PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 940
        5⤵
        
        PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 940
        5⤵
        
        PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 940
        5⤵
        
        PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 940
        5⤵
        
        PID:556
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 944
        5⤵
        
        PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 944
        5⤵
        
        PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 964
        5⤵
        
        PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 948
        5⤵
        
        PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 940
        5⤵
        
        PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 940
        5⤵
        
        PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 940
        5⤵
        
        PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 940
        5⤵
        
        PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 940
        5⤵
        
        PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 948
        5⤵
        
        PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 940
        5⤵
        
        PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 940
        5⤵
        
        PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 940
        5⤵
        
        PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 964
        5⤵
        
        PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 952
        5⤵
        
        PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 944
        5⤵
        
        PID:956
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 940
        5⤵
        
        PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 952
        5⤵
        
        PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 948
        5⤵
        
        PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 940
        5⤵
        
        PID:532
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 940
        5⤵
        
        PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:3908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 964
        5⤵
        
        PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 940
        5⤵
        
        PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:4020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 940
        5⤵
        
        PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      PID:2468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 940
        5⤵
        
        PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4720 -ip 4720
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4600 -ip 4600
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3168 -ip 3168
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2244 -ip 2244
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4312 -ip 4312
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4840 -ip 4840
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3308 -ip 3308
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2944 -ip 2944
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 800 -ip 800
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1488 -ip 1488
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1468 -ip 1468
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3424 -ip 3424
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4556 -ip 4556
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2388 -ip 2388
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3628 -ip 3628
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2172 -ip 2172
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1732 -ip 1732
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2108 -ip 2108
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 936 -ip 936
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4432 -ip 4432
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3932 -ip 3932
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3676 -ip 3676
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3972 -ip 3972
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2416 -ip 2416
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4128 -ip 4128
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2516 -ip 2516
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1896 -ip 1896
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3332 -ip 3332
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4948 -ip 4948
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2528 -ip 2528
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3632 -ip 3632
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3976 -ip 3976
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1708 -ip 1708
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1080 -ip 1080
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2816 -ip 2816
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3504 -ip 3504
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4856 -ip 4856
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 408 -ip 408
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4984 -ip 4984
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4764 -ip 4764
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1984 -ip 1984
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1900 -ip 1900
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3332 -ip 3332
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4772 -ip 4772
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4380 -ip 4380
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2172 -ip 2172
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2744 -ip 2744
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3832 -ip 3832
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 556 -ip 556
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3232 -ip 3232
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5068 -ip 5068
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 548 -ip 548
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3456 -ip 3456
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3672 -ip 3672
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3980 -ip 3980
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4448 -ip 4448
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3544 -ip 3544
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3876 -ip 3876
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 112 -ip 112
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4848 -ip 4848
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4296 -ip 4296
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 956 -ip 956
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2644 -ip 2644
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3944 -ip 3944
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1376 -ip 1376
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5108 -ip 5108
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2276 -ip 2276
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3672 -ip 3672
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1656 -ip 1656
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1652 -ip 1652
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 972 -ip 972
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2312 -ip 2312
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4188 -ip 4188
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4320 -ip 4320
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4992 -ip 4992
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3584 -ip 3584
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2848 -ip 2848
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2936 -ip 2936
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4592 -ip 4592
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1168 -ip 1168
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3656 -ip 3656
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 768 -ip 768
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4356 -ip 4356
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3628 -ip 3628
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 536 -ip 536
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4048 -ip 4048
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1732 -ip 1732
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3112 -ip 3112
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4184 -ip 4184
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 556 -ip 556
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1988 -ip 1988
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4732 -ip 4732
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1512 -ip 1512
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1896 -ip 1896
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1820 -ip 1820
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3992 -ip 3992
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4464 -ip 4464
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3628 -ip 3628
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2864 -ip 2864
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3660 -ip 3660
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2020 -ip 2020
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3112 -ip 3112
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3948 -ip 3948
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3676 -ip 3676
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2168 -ip 2168
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4592 -ip 4592
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3028 -ip 3028
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4968 -ip 4968
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4212 -ip 4212
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4356 -ip 4356
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4608 -ip 4608
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1232 -ip 1232
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2484 -ip 2484
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1708 -ip 1708
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2312 -ip 2312
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3588 -ip 3588
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3948 -ip 3948
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3676 -ip 3676
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 548 -ip 548
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1984 -ip 1984
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1900 -ip 1900
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5056 -ip 5056
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2692 -ip 2692
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2352 -ip 2352
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3836 -ip 3836
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2244 -ip 2244
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3976 -ip 3976
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1284 -ip 1284
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1840 -ip 1840
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2644 -ip 2644
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2140 -ip 2140
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2516 -ip 2516
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 3844 -ip 3844
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 3876 -ip 3876
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 688 -ip 688
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3704 -ip 3704
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 4948 -ip 4948
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3716 -ip 3716
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 1360 -ip 1360
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 4496 -ip 4496
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 2596 -ip 2596
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 956 -ip 956
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 2312 -ip 2312
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 3584 -ip 3584
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 4200 -ip 4200
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3480 -ip 3480
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1132 -ip 1132
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4020 -ip 4020
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 1984 -ip 1984
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3856 -ip 3856
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 632 -ip 632
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 2692 -ip 2692
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4704 -ip 4704
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 112 -ip 112
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4296 -ip 4296
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 116 -ip 116
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 2020 -ip 2020
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3588 -ip 3588
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3948 -ip 3948
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 4504 -ip 4504
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 2688 -ip 2688
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 760 -ip 760
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 1608 -ip 1608
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 5020 -ip 5020
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 1448 -ip 1448
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3696 -ip 3696
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4356 -ip 4356
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3212 -ip 3212
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4564 -ip 4564
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 2124 -ip 2124
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4232 -ip 4232
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4048 -ip 4048
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 2272 -ip 2272
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 540 -ip 540
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4088 -ip 4088
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4516 -ip 4516
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4312 -ip 4312
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 396 -ip 396
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4996 -ip 4996
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4872 -ip 4872
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3672 -ip 3672
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 1720 -ip 1720
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 1112 -ip 1112
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4600 -ip 4600
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 2824 -ip 2824
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3168 -ip 3168
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4320 -ip 4320
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 2352 -ip 2352
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4068 -ip 4068
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 1932 -ip 1932
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 2168 -ip 2168
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 4476 -ip 4476
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 2688 -ip 2688
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 760 -ip 760
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4904 -ip 4904
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2640 -ip 2640
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 5048 -ip 5048
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2776 -ip 2776
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 4368 -ip 4368
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 1232 -ip 1232
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 2764 -ip 2764
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 1708 -ip 1708
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4704 -ip 4704
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4048 -ip 4048
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4184 -ip 4184
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 540 -ip 540
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 4780 -ip 4780
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4516 -ip 4516
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4756 -ip 4756
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4824 -ip 4824
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3816 -ip 3816
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 4292 -ip 4292
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 688 -ip 688
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4356 -ip 4356
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 536 -ip 536
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 3520 -ip 3520
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 2744 -ip 2744
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 5004 -ip 5004
1⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 1732 -ip 1732
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4056 -ip 4056
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3204 -ip 3204
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4296 -ip 4296
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 2388 -ip 2388
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 1904 -ip 1904
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3936 -ip 3936
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4996 -ip 4996
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4560 -ip 4560
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 2640 -ip 2640
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 1720 -ip 1720
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 4608 -ip 4608
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 5092 -ip 5092
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 228 -ip 228
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 2252 -ip 2252
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 2124 -ip 2124
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 2268 -ip 2268
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 672 -ip 672
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4308 -ip 4308
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3140 -ip 3140
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4788 -ip 4788
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4732 -ip 4732
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 944 -ip 944
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3812 -ip 3812
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 548 -ip 548
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 3816 -ip 3816
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 1448 -ip 1448
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 688 -ip 688
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 2660 -ip 2660
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4848 -ip 4848
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 3388 -ip 3388
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 2824 -ip 2824
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 2776 -ip 2776
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 3972 -ip 3972
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 1840 -ip 1840
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 4084 -ip 4084
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 4380 -ip 4380
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 3140 -ip 3140
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4044 -ip 4044
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4876 -ip 4876
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4488 -ip 4488
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3236 -ip 3236
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 5116 -ip 5116
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 5088 -ip 5088
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 892 -ip 892
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 1800 -ip 1800
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3824 -ip 3824
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 1444 -ip 1444
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4280 -ip 4280
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 2764 -ip 2764
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3704 -ip 3704
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4776 -ip 4776
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 516 -ip 516
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 2020 -ip 2020
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3836 -ip 3836
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 5068 -ip 5068
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 1268 -ip 1268
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 3028 -ip 3028
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3908 -ip 3908
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3604 -ip 3604
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 2940 -ip 2940
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4904 -ip 4904
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 3472 -ip 3472
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4292 -ip 4292
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 1820 -ip 1820
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 3764 -ip 3764
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 3032 -ip 3032
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 3520 -ip 3520
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 964 -ip 964
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 4988 -ip 4988
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 1732 -ip 1732
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 1804 -ip 1804
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 3676 -ip 3676
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1932 -ip 1932
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 4504 -ip 4504
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4788 -ip 4788
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4312 -ip 4312
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 2880 -ip 2880
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 5072 -ip 5072
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4996 -ip 4996
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4212 -ip 4212
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4816 -ip 4816
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 1836 -ip 1836
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 800 -ip 800
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 3632 -ip 3632
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2756 -ip 2756
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4836 -ip 4836
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4840 -ip 4840
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 348 -ip 348
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2484 -ip 2484
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 2140 -ip 2140
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4380 -ip 4380
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4884 -ip 4884
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4516 -ip 4516
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 2000 -ip 2000
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 3228 -ip 3228
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 2880 -ip 2880
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2468 -ip 2468
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3148 -ip 3148
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 3548 -ip 3548
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 892 -ip 892
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4608 -ip 4608
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4736 -ip 4736
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 432 -ip 432
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 3672 -ip 3672
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 964 -ip 964
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 2272 -ip 2272
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4992 -ip 4992
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3204 -ip 3204
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4320 -ip 4320
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3232 -ip 3232
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 2544 -ip 2544
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 1424 -ip 1424
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4088 -ip 4088
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 3908 -ip 3908
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3172 -ip 3172
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4020 -ip 4020
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 2468 -ip 2468
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3148 -ip 3148
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\34qca5p3\34qca5p3.dll

Filesize
832KB

MD5
8ac452f46016c4cf6ecf1767d8db2788

SHA1
63501c1b5acf7be047b6d428367c319773f825cc

SHA256
ba0452e6a5989e23bf3b49cdcd49047740c7fd9531dda7760e3c6a6270fb9ef2

SHA512
2e6153a71b13059ab7794b791b908e9fe3dd9e7039ffc8869f1e77a54516fbc2ad8e242407955896547b9f4c7172713ebc0c6a1a046792564f365c1ac5939c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJm

Filesize
1.2MB

MD5
06fe80691fd6f72282c16b19e63ae9e5

SHA1
e240304306779e9c3478601698e345cb5d76000a

SHA256
5b41dc0d5d556a3d51bebafeee7576d68961ba11f1e417e58d03817fa1f7d05e

SHA512
1f4905e92beb725a2ba941c82e3a7907a217c1cbe96eb8224d7842fefd02b8e410e5dac1116949d1a37f1f825faf45ed522c88e6583da249e29bd60efffae672

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe

Filesize
94KB

MD5
a76223c1e216180be838673e3fb5a3ab

SHA1
dd1d667fc79e91e733d23da0e0276986c87edbb8

SHA256
695f4180d6cd2c73464d51387f9d0dc9076fb23d35c659afc2bc0f13fb22ff9d

SHA512
994eb8729d1ec0fe8a7c6dbeb58c00a6a0f7cb36b3da10abe6ee07c0cf0486b1546e35f5d1f1da50191efbbc33b90b7ed83ffa821b092b569909a0081549d89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7CA2.tmp

Filesize
1KB

MD5
34af3f162f2aaa36feb1151eabe68ceb

SHA1
c92166cfbb3600cbda6648a805b3de25801336b8

SHA256
6a8048f3f7c44a454560190535fd4a6cf310be37adeaf95bf1dd378b6694a9d3

SHA512
819cd7de60fec48c8b5bd13ed9e7cad2e8c2f23f5662f3fbfb46240f9297fe159e84701525d52b46091d64873b6f7478f062238b99a4443df68488d847b7fbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D6D.tmp

Filesize
1KB

MD5
a0ab9401d1f87c3cc6830e34cee10cda

SHA1
ba979c162156dd5443099a1931527ad1f811b5b1

SHA256
c8d493b814bec94bccbe4e96cffe8d67f386da2cb934798fb04a62f4ac359a72

SHA512
ae42c0b906c3f6211cfcd215e223afbb2a60293900f2fcd1d8e8e3a7943a1ccf3e85d626e9f5f37f95f66b38dc3b41d4dd002b3d91113375184c7a8fe9df0eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES84C0.tmp

Filesize
1KB

MD5
34814e6d8b25f31997924a54cf5303da

SHA1
c8fa51bfd7020ac86e3f4dfc61b505a912782099

SHA256
39cdd6900a52a9764559fdba25fa22baef2d19c5c5f8376217366c11f0d6743e

SHA512
413a7ad118413606bebc42a02da0735757f55788b3e884eb024a8a0e44be84cfb406228a77c7e879bde3463371a45e5ae0271655fd4033807c4f409b54a56826

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8618.tmp

Filesize
1KB

MD5
45a1f1cbde761caf1f1126b9041c174a

SHA1
f8a2c98457275107bd507c3097359976164a621e

SHA256
f4bed10066d2f139de9c9c71aaab0551d555d9eefbd77633b2bdfa58146be3e5

SHA512
b96dad1684f5471afcbdb3870aaecd461b3e0199db55ab1fc37bf06eaaca4e9a02f68c5d9a314db06d109c86e4c26537ec4269983fbe3566b071b32f35b446fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hclcgu4t\hclcgu4t.dll

Filesize
832KB

MD5
3d91e3f20904c358c1672021909308f9

SHA1
53812b5e19c52fb9eef84627d5052c326c1b357e

SHA256
e4d2286463ebad23342ee4c82bf6cc49391075d7091f024b33e00c0609a02b1c

SHA512
941a3ecba3cfe07dd08fa2053305ec38040384d1424953a725fec4ad5669660e7adf6f5da82bc99327c57fd3c0bfea9dd28a953b3de6f1d9deb65b8d0f63d5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\leorlxcr\leorlxcr.dll

Filesize
832KB

MD5
cbb7fb1da8e96d7bff3d7baf8431b55c

SHA1
9240239839ec7ce8244fe3460c6faca88794b5f4

SHA256
62e0130fde9cef46a7a2b233097129048ce0234d0736d83af91885dfcf38d829

SHA512
746f4aa670a3743de22d21322b2abd46afdee895f63f3487fca68288a60d84a32e9abc14925f2dda330d7c96fc71a5c93bfab7c9acefca4f3fb5249cea11d6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlbzqt0c\qlbzqt0c.dll

Filesize
832KB

MD5
197e6d44338ac7f22860dc8be1071ef7

SHA1
cef098f17e17515b24f2f34879eb5b579209c23d

SHA256
3489b458e429ec75b7a167ba992a76b08216df58018bc0e2a6b10361661ab29b

SHA512
4adc5338e796fab6206b7fa8fce86b19677e37ec3300119dc5e454d9bdf47ca971c45497897b60ed60975687eec8cc01f365130f5cc7a34d625d5830dbc97e1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\34qca5p3\34qca5p3.cmdline

Filesize
302B

MD5
a7ec6fff3f75e7b5958216d35d4430d1

SHA1
af51414bbf678857ab0bee9070292a6da4957129

SHA256
c5ac916d984d43e7ab673f5068edcd0bd84433358500157418c522c936bbeb52

SHA512
b2c2fb40480a5fd427b21a404d02c6d382a62894f95ed33dc25f666f72664d06777d8f35fb28ddd1f2630efb4a9d75e4061b13454a885046afd6d15d9c7aa005

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\34qca5p3\CSC60842E8295FA4308985B5C38737135BE.TMP

Filesize
652B

MD5
0c1f5cab95d22a32e6fddbe122c5d703

SHA1
9d500fc1f4018ae1e36c328617586623fb359dd5

SHA256
781733f8cdb11758d7b94aa71bf449221625b2c4acd145201dbbab62f5e8fdf6

SHA512
333b49e775666f33c933b6b48d823a9a88f82cea3622ddb9535c747035e4f41b35bc5201a805e6ea09091d78e6b920619a0a8777b5a651c184cef2f3283ae121

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hclcgu4t\CSCEF736D98D42F4579A6DA9D356F7588.TMP

Filesize
652B

MD5
c479c10d2e3f83e78e848f868f4c5a6d

SHA1
fe7b49344202dc4ddb20a240a9d74f406d082413

SHA256
c7fffc6f295ff79176bf2ffd6577fd2466bd9a84b0ecc64d3c3b4e64633d06c7

SHA512
bd99821a7cbe431f099b5c7253df52ce10d3c6cb41da8ff3d8e8f96a909be67863a45d733127830aa6748e9bdf24d448c771cd204ea31fda8692e8d65f788c1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hclcgu4t\hclcgu4t.cmdline

Filesize
302B

MD5
78084f5d47c321b5d8f75e3ad19881b0

SHA1
827f04cf3a5bc482c4630268b1925f1cf035c958

SHA256
4c6cfb27a9aa7957a81134ff9c7b5951d79374e8814ca4429f0644968837a12b

SHA512
6445b3d97dfd1b835d78397f9fcce6eddf68cabbd6c11a88fd137392774ab7effd9f82a40c7e97c7b062d454b3dbf58967cc75987c4a2b309d146ae91a363952

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\leorlxcr\CSC315630C795AF410A81C9B45372CB19FC.TMP

Filesize
652B

MD5
7309ef21edc43ccd81c3e9902b48d912

SHA1
0cfa42dd69ea2103c95a4944249300ef1689ae1f

SHA256
b96aa82f86f6275a9253391b4d5e4fbb3bfc55cb4698d734d3abddfa2dcd9ae4

SHA512
941b86159df30bb884135b5e7a36b7591a3ca6b16e4962a127382ba33b6e87f3de631a17e80dbb44b76dd13430c2e2aef0206f471490e4cf26dc347dde89f49b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\leorlxcr\leorlxcr.0.cs

Filesize
1.2MB

MD5
134076190ecedd5b5ae653aa1ca82dcd

SHA1
3a2418a4b78942bdc5238c190aafec6f25401df1

SHA256
f34bc0335b156845f2d49d55520d7bab30b5812fbef489798402f089643e8255

SHA512
b89ca747a9f968348cfbc527890da57607ed11254633e28b7450b8169411582d6ed3f3f2229c7e21a6fc5f60eef2561e280419dc6e01ff622c862638e9bfe39e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\leorlxcr\leorlxcr.cmdline

Filesize
302B

MD5
a62a483c9e410433a0985350af297476

SHA1
195d56ae414b9c5fe18a053f97805d71dc08e68c

SHA256
8efca5a3379c6b788924ce16068b54e7eb21cc1160b745f119f0fc020b3c25b3

SHA512
4847cf2434c215f381a15124a11bcb35f3f97027a22186e98fc71cce3060071fd4ab8d118b6f00731db9dde651648d7d94e955c0261bb6259730488ba5cfd4a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qlbzqt0c\CSCD2EF96C690564CAAACC1F83ACD5BED68.TMP

Filesize
652B

MD5
2ce10ae6f94589b9e8d730f4835bf37f

SHA1
24ed3d1151fcec0b5f88563bdaccd8ba0607487d

SHA256
2af403ec4f719781eb7d34496ce6ab3133ec42b283deda664e74d5761f39fc23

SHA512
1326af3cb6b28f7e282165eddfa6362e8962defa3e73a9544f54f33300ea3abb8d48e13c6d2fc9176c83fdae1c2b96828e8f24fd2f0dc575535954c70216754b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qlbzqt0c\qlbzqt0c.cmdline

Filesize
302B

MD5
9de295544ee2d6a8e46ee4fd1690cc44

SHA1
b83085109135614062708b78c940fedbafc9accc

SHA256
e34a988b44a275bcff7ca7a071b217cf8e134e5c4a8298253c74c7b3d1609ffb

SHA512
f8665263799e231cfb3d680972b1d99b440364c6488dc75ab347b24ae629400c770dc4a7f452b27915753b6547761bb8cc178ae291c6df58479a9e19ff8733ce

Download Submit
memory/2144-60-0x0000000004E70000-0x0000000004F46000-memory.dmp

Filesize
856KB

Download
memory/2144-74-0x0000000004F50000-0x0000000005026000-memory.dmp

Filesize
856KB

Download
memory/2144-76-0x00000000029A0000-0x00000000029F4000-memory.dmp

Filesize
336KB

Download
memory/4316-23-0x0000000004980000-0x0000000004A56000-memory.dmp

Filesize
856KB

Download
memory/4316-13-0x0000000073F60000-0x0000000074710000-memory.dmp

Filesize
7.7MB

Download
memory/4316-78-0x0000000073F60000-0x0000000074710000-memory.dmp

Filesize
7.7MB

Download
memory/4316-7-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/4316-39-0x00000000024E0000-0x0000000002534000-memory.dmp

Filesize
336KB

Download
memory/4316-37-0x0000000004A60000-0x0000000004B36000-memory.dmp

Filesize
856KB

Download
memory/4316-8-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/4908-43-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download
memory/4908-44-0x0000000005070000-0x000000000510C000-memory.dmp

Filesize
624KB

Download
memory/4908-41-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4908-49-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/4908-45-0x0000000004FF0000-0x0000000005008000-memory.dmp

Filesize
96KB

Download
memory/4908-42-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/4908-119-0x0000000006320000-0x000000000632A000-memory.dmp

Filesize
40KB

Download