cybergate | 62a770c50921bb6b3b08e944c418254e04439a236a333ad8318105fd571e5dfe

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Size

305KB
MD5

1bd6f2ecf1190edfb6282aa9d27be2a6
SHA1

67cdb36fc56ffa7391134da4f66c5c7cd30b3bb4
SHA256

62a770c50921bb6b3b08e944c418254e04439a236a333ad8318105fd571e5dfe
SHA512

473160a47c75f72c103eeeb71de184ade8e135f53509221a6326b3e91ee68f24ba244cd26f5ea5e7bfbec26daf95a958a92260f321ec69db8266947d86f20925
SSDEEP

6144:D724ToFyJEy8tTNzkrzmqUCQVxwhTtmOLrGQ+gd4DHJr6sBeDwb2EcxWLJvY:32F0ElHzDxw5tm0Igd4wsBDjxY

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

lepauvredz.no-ip.biz:83

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
mmngr
install_file
winime.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\system\\boot\\winime\\mmngr\\winime.exe"	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\system\\boot\\winime\\mmngr\\winime.exe"	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{732T4QU1-O2KS-YU47-6J01-C856E06G7TO0}\StubPath = "c:\\dir\\install\\system\\boot\\winime\\mmngr\\winime.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{732T4QU1-O2KS-YU47-6J01-C856E06G7TO0}	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{732T4QU1-O2KS-YU47-6J01-C856E06G7TO0}\StubPath = "c:\\dir\\install\\system\\boot\\winime\\mmngr\\winime.exe Restart"	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{732T4QU1-O2KS-YU47-6J01-C856E06G7TO0}	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

Executes dropped EXE 8 IoCs

Processes:

winime.exewinime.exewinime.exewinime.exewinime.exewinime.exewinime.exewinime.exe

pid	Process
4388	winime.exe
2584	winime.exe
448	winime.exe
2812	winime.exe
3360	winime.exe
1692	winime.exe
2504	winime.exe
3216	winime.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\system\\boot\\winime\\mmngr\\winime.exe"	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\system\\boot\\winime\\mmngr\\winime.exe"	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exewinime.exewinime.exewinime.exe

description	pid	Process	procid_target
PID 3164 set thread context of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 4388 set thread context of 2584	4388	winime.exe	152
PID 2812 set thread context of 3360	2812	winime.exe	244
PID 2504 set thread context of 3216	2504	winime.exe	406

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3552-14-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3552-15-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3552-18-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2428-80-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2428-154-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1956-208-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1956-349-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2216	3164	WerFault.exe	81
3868	3164	WerFault.exe	81
2660	1956	WerFault.exe	90
1496	1956	WerFault.exe	90
2864	1956	WerFault.exe	90
1060	1956	WerFault.exe	90
2504	1956	WerFault.exe	90
2680	1956	WerFault.exe	90
3060	1956	WerFault.exe	90
4836	1956	WerFault.exe	90
1460	1956	WerFault.exe	90
4120	1956	WerFault.exe	90
2188	1956	WerFault.exe	90
3772	1956	WerFault.exe	90
2872	1956	WerFault.exe	90
2440	1956	WerFault.exe	90
1896	1956	WerFault.exe	90
2264	1956	WerFault.exe	90
2260	1956	WerFault.exe	90
4572	1956	WerFault.exe	90
4332	1956	WerFault.exe	90
232	1956	WerFault.exe	90
3696	1956	WerFault.exe	90
2976	1956	WerFault.exe	90
2616	1956	WerFault.exe	90
1464	1956	WerFault.exe	90
3008	1956	WerFault.exe	90
4624	1956	WerFault.exe	90
2648	1956	WerFault.exe	90
2160	1956	WerFault.exe	90
1612	4388	WerFault.exe	146
1496	1956	WerFault.exe	90
2852	4388	WerFault.exe	146
2600	1956	WerFault.exe	90
4840	1956	WerFault.exe	90
3192	1956	WerFault.exe	90
64	1956	WerFault.exe	90
2452	1956	WerFault.exe	90
2652	1956	WerFault.exe	90
2884	1956	WerFault.exe	90
4200	1956	WerFault.exe	90
1628	1956	WerFault.exe	90
1896	1956	WerFault.exe	90
2264	1956	WerFault.exe	90
2260	1956	WerFault.exe	90
4276	448	WerFault.exe	180
4116	1956	WerFault.exe	90
3048	448	WerFault.exe	180
4668	1956	WerFault.exe	90
1940	448	WerFault.exe	180
4488	1956	WerFault.exe	90
3008	448	WerFault.exe	180
4992	448	WerFault.exe	180
2648	1956	WerFault.exe	90
2160	448	WerFault.exe	180
452	1956	WerFault.exe	90
3544	448	WerFault.exe	180
372	1956	WerFault.exe	90
252	448	WerFault.exe	180
2292	1956	WerFault.exe	90
3468	448	WerFault.exe	180
3300	1956	WerFault.exe	90
1100	448	WerFault.exe	180
4452	1956	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exewinime.exewinime.exewinime.exewinime.exewinime.exewinime.exeexplorer.exe1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exewinime.exe1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

Modifies registry class 1 IoCs

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exewinime.exewinime.exe

pid	Process
3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
2584	winime.exe
2584	winime.exe
3360	winime.exe
3360	winime.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

pid	Process
1956	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1956	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
Token: SeDebugPrivilege	1956	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

pid	Process
3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3164 wrote to memory of 3552	3164	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	85
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56
PID 3552 wrote to memory of 3536	3552	1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 280
    3⤵
    - Program crash
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2428
    - - C:\dir\install\system\boot\winime\mmngr\winime.exe
        
        "C:\dir\install\system\boot\winime\mmngr\winime.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4388
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 280
        6⤵
        Program crash
        
        PID:1612
      - C:\dir\install\system\boot\winime\mmngr\winime.exe
        
        C:\dir\install\system\boot\winime\mmngr\winime.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3564
        
        C:\dir\install\system\boot\winime\mmngr\winime.exe
        
        "C:\dir\install\system\boot\winime\mmngr\winime.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 244
        8⤵
        Program crash
        
        PID:4276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 252
        8⤵
        Program crash
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 200
        8⤵
        Program crash
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 260
        8⤵
        Program crash
        
        PID:3008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 272
        8⤵
        Program crash
        
        PID:4992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 292
        8⤵
        Program crash
        
        PID:2160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 280
        8⤵
        Program crash
        
        PID:3544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 276
        8⤵
        Program crash
        
        PID:252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 284
        8⤵
        Program crash
        
        PID:3468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 252
        8⤵
        Program crash
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 240
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 280
        8⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 292
        8⤵
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 312
        8⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 276
        8⤵
        
        PID:920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 268
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 196
        8⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 324
        8⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 332
        8⤵
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 360
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 336
        8⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 344
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 432
        8⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 440
        8⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 444
        8⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 448
        8⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 508
        8⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 460
        8⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 456
        8⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 464
        8⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 452
        8⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 488
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 500
        8⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 520
        8⤵
        
        PID:872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 516
        8⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 448
        8⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 452
        8⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 524
        8⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 512
        8⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 556
        8⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 540
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 524
        8⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 512
        8⤵
        
        PID:232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 556
        8⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 540
        8⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 460
        8⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 448
        8⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 524
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 528
        8⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 524
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 488
        8⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 540
        8⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 572
        8⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 588
        8⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 588
        8⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 628
        8⤵
        
        PID:824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 636
        8⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 620
        8⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 576
        8⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 460
        8⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 956
        8⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 984
        8⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 780
        8⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 656
        8⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 632
        8⤵
        
        PID:5052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 140
        6⤵
        Program crash
        
        PID:2852
    - - C:\dir\install\system\boot\winime\mmngr\winime.exe
        
        "C:\dir\install\system\boot\winime\mmngr\winime.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 244
        6⤵
        
        PID:3916
      - C:\dir\install\system\boot\winime\mmngr\winime.exe
        
        C:\dir\install\system\boot\winime\mmngr\winime.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3176
        
        C:\dir\install\system\boot\winime\mmngr\winime.exe
        
        "C:\dir\install\system\boot\winime\mmngr\winime.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 244
        8⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 252
        8⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 284
        8⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 280
        8⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 276
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 252
        8⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 284
        8⤵
        
        PID:936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 280
        8⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 276
        8⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 256
        8⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 304
        8⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 252
        8⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 276
        8⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 300
        8⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 284
        8⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 368
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 376
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 408
        8⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 416
        8⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 388
        8⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 392
        8⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 440
        8⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 448
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 480
        8⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 488
        8⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 476
        8⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 496
        8⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 492
        8⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 440
        8⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 528
        8⤵
        
        PID:628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 536
        8⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 476
        8⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 508
        8⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 516
        8⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 488
        8⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 544
        8⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 492
        8⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 528
        8⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 532
        8⤵
        
        PID:824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 568
        8⤵
        
        PID:752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 576
        8⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 536
        8⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 540
        8⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 588
        8⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 616
        8⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 492
        8⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 600
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 608
        8⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 612
        8⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 644
        8⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 652
        8⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 684
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 692
        8⤵
        
        PID:664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 660
        8⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 668
        8⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 676
        8⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 600
        8⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 680
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 804
        8⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 804
        8⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 968
        8⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 992
        8⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 564
        8⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 664
        8⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 644
        8⤵
        
        PID:2192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 140
        6⤵
        
        PID:3828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3352
  - - C:\Users\Admin\AppData\Local\Temp\1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1bd6f2ecf1190edfb6282aa9d27be2a6_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 256
        5⤵
        Program crash
        
        PID:2660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 276
        5⤵
        Program crash
        
        PID:1496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 292
        5⤵
        Program crash
        
        PID:2864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 212
        5⤵
        Program crash
        
        PID:1060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 300
        5⤵
        Program crash
        
        PID:2504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 208
        5⤵
        Program crash
        
        PID:2680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 288
        5⤵
        Program crash
        
        PID:3060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 300
        5⤵
        Program crash
        
        PID:4836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 304
        5⤵
        Program crash
        
        PID:1460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 324
        5⤵
        Program crash
        
        PID:4120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 208
        5⤵
        Program crash
        
        PID:2188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 288
        5⤵
        Program crash
        
        PID:3772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 292
        5⤵
        Program crash
        
        PID:2872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 260
        5⤵
        Program crash
        
        PID:2440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 324
        5⤵
        Program crash
        
        PID:1896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 272
        5⤵
        Program crash
        
        PID:2264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 284
        5⤵
        Program crash
        
        PID:2260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 272
        5⤵
        Program crash
        
        PID:4572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 364
        5⤵
        Program crash
        
        PID:4332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 384
        5⤵
        Program crash
        
        PID:232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 392
        5⤵
        Program crash
        
        PID:3696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 372
        5⤵
        Program crash
        
        PID:2976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 404
        5⤵
        Program crash
        
        PID:2616
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 412
        5⤵
        Program crash
        
        PID:1464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 376
        5⤵
        Program crash
        
        PID:3008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 396
        5⤵
        Program crash
        
        PID:4624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 256
        5⤵
        Program crash
        
        PID:2648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 388
        5⤵
        Program crash
        
        PID:2160
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 388
        5⤵
        Program crash
        
        PID:1496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 192
        5⤵
        Program crash
        
        PID:2600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 416
        5⤵
        Program crash
        
        PID:4840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 532
        5⤵
        Program crash
        
        PID:3192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 256
        5⤵
        Program crash
        
        PID:64
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 528
        5⤵
        Program crash
        
        PID:2452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 256
        5⤵
        Program crash
        
        PID:2652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 532
        5⤵
        Program crash
        
        PID:2884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 376
        5⤵
        Program crash
        
        PID:4200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 272
        5⤵
        Program crash
        
        PID:1628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 536
        5⤵
        Program crash
        
        PID:1896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 540
        5⤵
        Program crash
        
        PID:2264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 568
        5⤵
        Program crash
        
        PID:2260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 560
        5⤵
        Program crash
        
        PID:4116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 548
        5⤵
        Program crash
        
        PID:4668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 416
        5⤵
        Program crash
        
        PID:4488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 560
        5⤵
        Program crash
        
        PID:2648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 588
        5⤵
        Program crash
        
        PID:452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 576
        5⤵
        Program crash
        
        PID:372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 528
        5⤵
        Program crash
        
        PID:2292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 388
        5⤵
        Program crash
        
        PID:3300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 568
        5⤵
        Program crash
        
        PID:4452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 528
        5⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 388
        5⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 556
        5⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 548
        5⤵
        
        PID:3240
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 528
        5⤵
        
        PID:1292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 528
        5⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 256
        5⤵
        
        PID:4592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 728
        5⤵
        
        PID:3512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 756
        5⤵
        
        PID:3092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 776
        5⤵
        
        PID:1108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 800
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1112
        5⤵
        
        PID:3396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1112
        5⤵
        
        PID:4140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1164
        5⤵
        
        PID:3164
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1112
        5⤵
        
        PID:3312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1160
        5⤵
        
        PID:2680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1108
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1100
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 776
        5⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 776
        5⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 776
        5⤵
        
        PID:3444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1228
        5⤵
        
        PID:4912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1264
        5⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1272
        5⤵
        
        PID:3420
    - - C:\dir\install\system\boot\winime\mmngr\winime.exe
        
        "C:\dir\install\system\boot\winime\mmngr\winime.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 244
        6⤵
        
        PID:2952
      - C:\dir\install\system\boot\winime\mmngr\winime.exe
        
        C:\dir\install\system\boot\winime\mmngr\winime.exe
        6⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 544
        7⤵
        
        PID:3012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 140
        6⤵
        
        PID:4136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1288
        5⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1008
        5⤵
        
        PID:4500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 796
        5⤵
        
        PID:3056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 140
    3⤵
    - Program crash
    PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3164 -ip 3164
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3164 -ip 3164
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1956 -ip 1956
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1956 -ip 1956
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1956 -ip 1956
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1956 -ip 1956
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1956 -ip 1956
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1956 -ip 1956
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1956 -ip 1956
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1956 -ip 1956
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1956 -ip 1956
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1956 -ip 1956
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1956 -ip 1956
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1956 -ip 1956
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1956 -ip 1956
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1956 -ip 1956
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1956 -ip 1956
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1956 -ip 1956
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1956 -ip 1956
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1956 -ip 1956
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1956 -ip 1956
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1956 -ip 1956
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1956 -ip 1956
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1956 -ip 1956
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1956 -ip 1956
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4388 -ip 4388
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1956 -ip 1956
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4388 -ip 4388
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1956 -ip 1956
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1956 -ip 1956
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1956 -ip 1956
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1956 -ip 1956
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1956 -ip 1956
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1956 -ip 1956
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1956 -ip 1956
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1956 -ip 1956
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1956 -ip 1956
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1956 -ip 1956
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1956 -ip 1956
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 448 -ip 448
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1956 -ip 1956
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 448 -ip 448
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1956 -ip 1956
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 448 -ip 448
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1956 -ip 1956
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 448 -ip 448
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 448 -ip 448
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 448 -ip 448
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1956 -ip 1956
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 448 -ip 448
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1956 -ip 1956
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 448 -ip 448
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1956 -ip 1956
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 448 -ip 448
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1956 -ip 1956
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 448 -ip 448
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1956 -ip 1956
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 448 -ip 448
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1956 -ip 1956
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 448 -ip 448
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1956 -ip 1956
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 448 -ip 448
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1956 -ip 1956
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 448 -ip 448
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1956 -ip 1956
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 448 -ip 448
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2812 -ip 2812
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 448 -ip 448
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2812 -ip 2812
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1956 -ip 1956
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 448 -ip 448
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1956 -ip 1956
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 448 -ip 448
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1956 -ip 1956
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 448 -ip 448
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 448 -ip 448
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1956 -ip 1956
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 448 -ip 448
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1956 -ip 1956
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 448 -ip 448
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1956 -ip 1956
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 448 -ip 448
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1956 -ip 1956
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 448 -ip 448
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 448 -ip 448
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1956 -ip 1956
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 448 -ip 448
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1956 -ip 1956
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 448 -ip 448
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1692 -ip 1692
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 448 -ip 448
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1692 -ip 1692
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1956 -ip 1956
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 448 -ip 448
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1692 -ip 1692
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 448 -ip 448
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1692 -ip 1692
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1956 -ip 1956
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 448 -ip 448
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1692 -ip 1692
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1956 -ip 1956
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 448 -ip 448
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1692 -ip 1692
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 448 -ip 448
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1956 -ip 1956
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1692 -ip 1692
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 448 -ip 448
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1692 -ip 1692
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 448 -ip 448
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1956 -ip 1956
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1692 -ip 1692
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1692 -ip 1692
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 448 -ip 448
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1956 -ip 1956
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 448 -ip 448
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1692 -ip 1692
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1956 -ip 1956
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 448 -ip 448
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1692 -ip 1692
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 448 -ip 448
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1692 -ip 1692
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1956 -ip 1956
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 448 -ip 448
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1692 -ip 1692
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 448 -ip 448
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1956 -ip 1956
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1692 -ip 1692
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 448 -ip 448
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1692 -ip 1692
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1956 -ip 1956
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 448 -ip 448
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1692 -ip 1692
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 448 -ip 448
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1692 -ip 1692
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 448 -ip 448
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1692 -ip 1692
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 448 -ip 448
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1692 -ip 1692
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 448 -ip 448
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1692 -ip 1692
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 448 -ip 448
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1692 -ip 1692
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2504 -ip 2504
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 448 -ip 448
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1692 -ip 1692
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 448 -ip 448
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2504 -ip 2504
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3216 -ip 3216
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1692 -ip 1692
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 448 -ip 448
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1692 -ip 1692
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 448 -ip 448
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1692 -ip 1692
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 448 -ip 448
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1692 -ip 1692
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 448 -ip 448
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1692 -ip 1692
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 448 -ip 448
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1692 -ip 1692
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 448 -ip 448
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1692 -ip 1692
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 448 -ip 448
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1692 -ip 1692
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 448 -ip 448
1⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1692 -ip 1692
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 448 -ip 448
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1692 -ip 1692
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 448 -ip 448
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1692 -ip 1692
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 448 -ip 448
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1692 -ip 1692
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 448 -ip 448
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1692 -ip 1692
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 448 -ip 448
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1692 -ip 1692
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 448 -ip 448
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1692 -ip 1692
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1692 -ip 1692
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1692 -ip 1692
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1692 -ip 1692
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1692 -ip 1692
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1692 -ip 1692
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1692 -ip 1692
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1692 -ip 1692
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1692 -ip 1692
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1692 -ip 1692
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1692 -ip 1692
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1692 -ip 1692
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1692 -ip 1692
1⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1692 -ip 1692
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1692 -ip 1692
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1692 -ip 1692
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1692 -ip 1692
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1692 -ip 1692
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1692 -ip 1692
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1692 -ip 1692
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1692 -ip 1692
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1692 -ip 1692
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1692 -ip 1692
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1692 -ip 1692
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1692 -ip 1692
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1692 -ip 1692
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1692 -ip 1692
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1956 -ip 1956
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1956 -ip 1956
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1956 -ip 1956
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 448 -ip 448
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1692 -ip 1692
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
31b03910b09c0bee870b95b0409dc714

SHA1
e14f91faf5bd0f53c6c13018809b847274162a2a

SHA256
08c2cc9150f3d7299606d03e012f7fe10d864dbe73661d6a329dcfb78b164fd2

SHA512
8c3f9fd95c6d5f172542f90a588fb2be0748ef4b5651529df8fddb43431c6d41bff9f6736f3006385e18ad0eccc79832d04fad1ddccab823d0baebdad3e1a297

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
5b38d738fdbe37b1eaabc027845dfa11

SHA1
5cb7547e48b661d23cd1c803bee316cd55eac29d

SHA256
d878cef66e27296b2fea00651e630d4ecff67e2f74cdcc031323afb680ce27c5

SHA512
768c2b41f3495e264abacba64f8d97ceaf2724ad77de70470cbff11fd47398d1a4d55b7c38665e16e521ba361a006abdd84834ab53a6125e14fb097c67fde11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d349d07346717914be312245f2e38a6e

SHA1
8c6a4a7d426c99b95ab4c3c04ac6765f4836d333

SHA256
0bb218629d7b66f85de02c8935e697c5883050e0a89b421c9e92d119d57786ca

SHA512
3b4081fbb472fd8801384fc90635fcd03a293ff978cac161ad6fff9ff28c0c51d076431530b682889079ae645eedb6d6016fb756d8d3b1106ad5688946215626

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8049f1eca89837dae8eca91784401a17

SHA1
aae1693e263d6fb0c89652e281a0e2cfdfb7c714

SHA256
bbbb5dc563faa142961fcd4f146b88e640b2d4880abf5f53ca3533203d27a42d

SHA512
49665a855644d0abb2d5a29b8819098976096856106c34ef5adbb25f27ae94237e30c1bd9cba37b96724d2f301c45dab713c3292b904e327430acb1b17012a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
29f85ef4154ac5479df031e2af11e70c

SHA1
397d7f5a76f0511360902cce1f5f46944db70882

SHA256
920b9b8b4ea285ecdde7879e52937a42060dffd8d07f4ee2463e6f0c4aa64dfc

SHA512
a03b52f8de08cb6d1f462a9d41377a6cbd7a4e2b3a381bebad33fde8405818bae1d1714863e2eedba774ab854bfab9d075e99ac2764286361264145882f0c75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
da4445f55ad5efe07abc00c69b1bcbd6

SHA1
42e88b26fa5ef0c96771b01837deedc329623fcb

SHA256
9b64ca9ee4f76ceb6de6fccfb9b9ff797a4b3863ab41a395970c6b4acea881b1

SHA512
bc7a4431e8cf6723728818eca863310abeee900c509325508dd8d5f6e6e064befa7f4244d4bf6611f06fcf107228f396f5b84bb66063ddd571b211ffa585bfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ba5bb2a818a42687d0a7a9a69fb67bb3

SHA1
3beb0042b32529838babf7504ea1983399a26778

SHA256
fc84d5a3ba39c526c39d24646e3611f3d8223e620dbf35eea5484447c7aae7ff

SHA512
58f974db9b80a83985face09581d2592a26f508d7138810ffc17bb77d055e0585de881defd27f7c4dfeb3c0f9db374ddc6147afaed4405c9e3f41570fed785c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6fddefd12865d8b0ecf9d9580dfff7b9

SHA1
b0f69057ea73baae194c6769519aec51b4001043

SHA256
f5e1e9ffefdb32a802ee9944d6fb74f57789e5169db1a39c938976034bae31fc

SHA512
c04191b7b17bcb5bdfa2345f1778d313e0d68ef1574911f1763ae5d1ca8be79c85e57190d157f6cd888b005ae9bf907c0ccb36efdf3121dd81b890f58f2d55dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f857514d2781e9f3aadcede8f1799b53

SHA1
c02f511b34278fa697c0a9a6204adab9625c5a8f

SHA256
bd792a2718c586c21fd1488663e58289c2f3b50590bf79dccc86dbdc38ca2184

SHA512
5f5e8ae90099a332ef7cf8dae3a955af81d3f441aa25ed411622446eb83768172e1d488948bed2f314f5dcc2e8f72c5dd0ced5c3fb8fbf88171c6a7742ebb823

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a3dcd24e9a1a8a02b4b95998d30ba7c

SHA1
970230fa535c2dca427ca8302f24c7e6a776884f

SHA256
3ed86df56e790408d9886884952ba0e9d975aefc926d554fd9309322ef8ba1d8

SHA512
04d0ea8e5faaebf8fc2a4774283371d77709dcfd5139ed8c391002012f88509aee393ab91d3fac2cb2d2829c8cef695f1cbc12c57ef4c17a7a2300146769b229

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b202cb7592f0d99e6bcf77e10d0301d3

SHA1
6bf49e68fd96f4ee66f9dec3b4528e1c3974aaa8

SHA256
5353b6b618de0af6b58366c4e13d2a699998e5929d26ee4a86626b8d37222b3d

SHA512
61afc71f02f908d183269f3519066e074f6be8444020f672be178f7a45276d905ac1851b1448aba616a655d579c51c9577a20fefa50630b71a6f6b87dc007315

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0d95e29e2f53e212d4757c2bba1ec089

SHA1
65e52d3f6866485fbc174277126a5941aa0a3ef7

SHA256
fc4379ebb22859823a9d6285cad4248140acebf88165dade9593a8dbb8bc3134

SHA512
8992c0addab53b84d3e53852c06602e2aff250258d33b7346b00f9631c78351df8e684fef583804c2c3aa1b7a45b0c69e19fd25d30cd5900ef5615c5d75cc944

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
af49919907406bb977fed387676c61d4

SHA1
8382b9028442aa754bf29f61245ad5e89fec2ba4

SHA256
ae09c375c4fafea967e0d304f4bff52976d436bba664919e1a860a576edd1d15

SHA512
f85854946685086956f14f00429c18269df6e2d31513c7d339696ae0b72e15be5f28151186135987c9adccdde445bc089fb619ae7b6d0b7e41cad420ec140bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5345c9c25a6eefc219317f057b4ef29d

SHA1
b2357bfcbe862c61dcd50bdbdbef734f4c6087f8

SHA256
33ae113107dcf36b41ba015e7fb0792c9b21bf98a0a54b434ee6c99261c59ac0

SHA512
59e86e7ce9945a8fff07a0bb242ec6d007cb813d0ce7c5f60dde2f930690d4dff9608c6e5e84da7e421eac42f6bd5ee169910c86a59f55bb68a3cd9a34709ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8d731e3cd993065dd628ed659be01730

SHA1
8f68ff980388fa2407a5d9d56a0c7c28bbaab290

SHA256
d2d57265be8c54cde972f8b33d454287a4dcb3019538a1c8fe221886b6e091cd

SHA512
fd4a51d731d944dc2082b8ef6afa6ffa4775caece0792bb6d44d9be2639bb4fd6042d7ef489f1e051bb146e62db41ba64ae73b2d6c9ba1a9e1d0bc793b55815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
60ddfc10ce005df4370af6fc59a8416a

SHA1
4f98ca95d46a0b4c14d714ed431cd8f6457bbf22

SHA256
ad749b7dcf0044eb2450d28cb71d95c146fbacacc2352cd5fb47e8e94a90dcea

SHA512
ab1abafd005c7c5b6e7d93526bb38a5a77ae8e91cc182c2c6ee21647c9c1944aa354946755f73a4f9c5402a1abea5dd63370b0b6dfffab95c6303624250d2158

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fa5673efb9938006df47f24873fac1d0

SHA1
4e329439258db649ce6caa26e841f48e8e1b9b30

SHA256
819824b8e5cc3f2db3cbe4e36487b7efbf5a272b51eff2f4e3b4943c8aa81428

SHA512
3ac907b6671c54d918388905593d5762502db0adbc2d34e834aca853402bbe2638e22edf9fad5e99beee7c3a40af10282612ff60649c444cd04d58dee6a26028

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
592b40fe8713979d501c6b7f2842d4fd

SHA1
f1d06f893dde475ae8bd2ff06627209cfdfd3d01

SHA256
365299b9a8cb77037bfcd14ca7c1e1779519d54ba5fd166e025c10c17942d7b7

SHA512
f2ccea756c75d4cbb0dba73d3dea2aa63b3ed9d616d1060297c639e9f8c886b6703fca46ee51d4e9ae9b08fdee99001ec6f9ee69ba3c4d04977813a1a3c3f62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2a2dc4103f5148687bbf462bcae4d824

SHA1
437a0c66ec84e0819c328a0c150f0e9f0f75dc3c

SHA256
48aa19816ad8470597458e357a7dc25aedd34710ba3d9bca88bfc0ee7a6ef7a3

SHA512
08ad000996938753fecff9c13e4336a8354f6a05cc89f47dc8700f8a272f8e24804924f6924b24adbf932b192ae7cbdc402be0a7f80e5ee7c1fb3206b35198d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dba64c9fc46ef9e54457a44d798012fa

SHA1
7d242685f0be38ed17282c327e1cf34229b65361

SHA256
97c56dc399d3bf112e5f0ebd02c868c72febe692554abe4d18b445a1bb028018

SHA512
59da19d47a787b9ec1268b0b972facc7dfd2cc51f5433cf3147cb3d626dc97b2323060a46403dfdb73e240dd5b590e5f2c76e995eb61ebe84a25617c13a9e4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b266cb68c68af590844a79a3872b57d2

SHA1
c85d48337189bc400beb951b1165fcc8a90c6713

SHA256
92f8fc28d05431bf1fec4c653d7aa52df9c6ac95537b3ae89f1eb8da0f29c2cb

SHA512
87ab3dea10bdd7678685d4f411c8c900007b2ed77971e41471a80b92d06f5e090623ef901ca6d5f160a8eb1016ef8ca792a84dae6101af074f3a3461eff42828

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a30833513b2723d87c4c9c3b37784596

SHA1
1c0e55f9c58a0b0280e542444ff21b949c272046

SHA256
970b9c53383097460df877c64ca93fe7d4380232ab36bb74d4b1386084ba65e2

SHA512
09626bc918d88f99df98eb2e3b8b969c7e42ec2ce24a08bb53f8b4c527ae8e6c1c7fb364cc6c22447d1b6cc8a40f166660f6e592236f3c1c54363ff12beb0b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b876e4ec93e03b36332bdd2e453c9017

SHA1
e3a2f428637d504807a7576cd9d9c0f0e503b8e3

SHA256
c57c97738f5b1682ad0a394ca8f3d1bd7e4d8bbcb6dd0377772c47b80b91f043

SHA512
c043a8889b40d4fd1c54174443ef88950d8da152c21334944f739dc5b545dc02cfd9a2b8a44d24c1d40cd83c6811fa0843eac6b0d5a7ff0915e63277f004acf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
acaac824672b0d6ae088eab03866ba41

SHA1
7883877f1b77cc0d9ba8fd686b34eeeec8e7e6f8

SHA256
83f0bfb60f4cb0475c5f41d51ec38d0428d1b781d80807d70150ce347c98d273

SHA512
35db71a826586f0169d8bbc642293d90b14cc0c83c50dc3e07abe9b45fcc3007695348452088bb930f59ce7e9be9528b9add50711f7aead5209f18837cdaa5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3b55b51ebc1b1837fad29a497af9a176

SHA1
b511851768c83284d2bfed9d84b4b4f2712d02da

SHA256
87333eaabd070fd758627fdc4e9574633938eee691f743055d23b7b61a62e661

SHA512
2a30f099816cc5380b91f2cb4b3d9a79b97fc920d743aa3d6baa2b85dcbaa56d6fe548161d08092403839741525c33f8b6e35b8ab81c7334fc6ba2818c056112

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a97edf558a7af36fb6cd725892ed0a6

SHA1
dbcc23f1127a2c23454a6499da07791df3118a7e

SHA256
d681fd1702b9ce37fd8b581aea30c3a290f3e7ecfaa50ba0c9b5749686dce68a

SHA512
5c122e382594c7d2cc014aa742ee9a136e5685d48178adff90b887e1719ee84b2e9a30b5c9a96f54da8b9e3d459c8778afa79ab1c0fd85f174e1af83fe19b855

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ba043d6418fb1fd0fceff186f713453

SHA1
7f95d2a9d5eb1334ce2a9808e29ec6468425e21c

SHA256
e9be075d9585d20a68a336937f111f2d3c93e58fa1777d67f3f32ee7fb247f93

SHA512
117d3dd9f65b53b1c2876f1253f4b506850216f80b438764c056337ae66bfdf70ff9b3660cd70763abec01009f32e1657b43462be3d9c75edb7513ea0aadc2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6bee6072d9b854f0ca0ada44f13ab727

SHA1
ecaf646331023f873b68b426bf3728942d579a2d

SHA256
6b6d4a9e71146befb48bf2884d8d5066f7e0fd4cd062424e34fae099b4e5f878

SHA512
eff81b5b50161d1b8e0c0e0065c537b4a2ce07a633889ee8d344d35af7dd44570b1af5627b36be62ac3dc7f6439bbd208784f529f802092050d63574354db458

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a626e352e501f99f64a2c0130c636152

SHA1
271179f015ae351d96a10daa7ed32b3f11393555

SHA256
477805af0e419c20b2259c500a63026c3139ecf199c17c0a9f067b321af77103

SHA512
bd89bb1e6d24761707367123825f62bbcd1a9c4f393c5bff439bdc35ca60d0b9192592b6bac596fefaa80de8ea903d1cf6940e359b2df781cb698943e1d29cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ae125d21f148dfeb5d2d47f7e9796c2e

SHA1
62ded6bd57eb09d9f2bed62e2b0780a23f625bb7

SHA256
67c1fcc15fc69b57dbaa0a7a272004cba0dd71dbe5c16ca1fc27da9739082287

SHA512
ec2e6c5d601531a3941a2560efb564763fd4f147708741bf4146816e48a95024ee7a1409530a13facfc403717094c940073b603778e32949212c042f16b3b7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c806ef497229f7a326117ad122d891ae

SHA1
b0e7f6cf2fdd92984fb4c4efe4646d77a9e3f3fb

SHA256
3058b4884e2f89829970d9cb9eac63d40349302e776e69c5213c17ca1ec71625

SHA512
e2af660e2231e2562ec609edf4af340e31e08571f9dd97175681a81420fbcf6896833cb8316f44fc00c625980f588a402388aea029cb83def914efda3422f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6800ccca393e348ad31c9ca33313e05a

SHA1
1cddc7bf8670ad9cfa07179c71708e746bac0eba

SHA256
2ef3c3f999267c5a1c138ce242220ac94d0b267d2b68f3e6359425157bdc10b4

SHA512
0d1084baf1e9ef1001f2360efd06f55fbe4e82ba9cb84b93755312a5c51d78527864cc30c254522984cec3752c360869bfd66018144b300d461a3b3fd9b65237

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fbfcfee13cab31cd540ea2a66dade8be

SHA1
42bc5d38a306a3f64a57cf2d42e92d0e51b849fd

SHA256
d95eaed1281b16a086b8c400be861dcc18b0e0f1dca300cb9879a14381a659d9

SHA512
c5fd9775479411b1be47cb0b0588f4652726787e2fda4e5fcb8978d0a89c68fcc79c02279d553709d1ceac9de414430cc2a783d4a73da959be6b67525cc1ce51

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
085cccf47580d27ecf09ee3ee32b3c5a

SHA1
0149b5520655d64ded65f1ca447ce7e3dca264a5

SHA256
a7a2154a2fecafb8b9986502c27f0e4925de2e3809705d811b99940c1be20731

SHA512
3dad4ded8808d5634f38fb632683f7d5fa395f78262ee20e35353a148f412b5cc4f030704860896486971610d3b1fcda4fb20227e138269229fbcb5061e80257

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e7efce2adb9047e26c884c3a07ff7ab2

SHA1
1be98a35b7612f29937661e1178a6d8759b4d948

SHA256
b25589f310e899fff16435e259506df51b17aaebe1ea171e07c9477440f79c87

SHA512
9503b057454ee9f26de48025948e5e46167e6d2df3a305ec9d0c16a5caf4fd0d290b3526ef2391321766f3236561b506f4de90ea6ca3d131c0e87842646b1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
807ef7275715ce59a4d72056211da743

SHA1
da347e186646de5de64f2cdf114cdfbba206ce66

SHA256
a796412de1bf7d3c36bf3bbc546e79a0b995874af9ee1347e0d4bb1a42ccfe65

SHA512
a8e3525f77f60cc4c433a0d6224c6db405cd711dbfad6f1b3f77455181f7ecc8a6d73372c485edfb744ac91a6360a0d03c7fb6121a137727bb6f6373cdece9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
71403e061855015773a64c02d19eb12c

SHA1
542f4872af145fe85bf3ffc4af47fa775a579c39

SHA256
5ac7553001b785b48c783f4401ea1ac1a57f0b291fe32a513456bc36f8e7f7cc

SHA512
3271eff086bed987c21b0b9cd246558b8d9229aadede738170f1e20e7f5054596722762c772807ebe020405972db9f380043fcfeea3fd984ef8c15a31def2f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6fbe2cef3cd66a6d213045ad85f3f19

SHA1
b4fefeec206e4aa00b1fcec88b09db432cc8fc3f

SHA256
4c3c6db6d49b87e427a0b7ca7c6d17d3c0e727e6010421853ecab99fd2deb62b

SHA512
38a1bbd80cc46690702cc4c454850a22ae4316c4fa94ce9ce3baf76ecd52920b8a3f53d0e3a0cec5a5dd05b40a0920e83ffaa4a79924000518a114a162c9cb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b929d04c32a5b44c150ec21c5d5ef7d8

SHA1
58bbd10d7cf50c98c8c3651dd5b4632d9e7db9b9

SHA256
fc4428091f464ac66f4cba478c4294a7acef9790c59c2cb7ef8e4976ac2dda8c

SHA512
b4a341fd55be90a0cba6a006a93d635b3d4cd4666b1e684ebb7ebf62c4ca92045a939647f145a6f58c0b3888834239b4b59e3d9ed46209c3c16ec4584a2caebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5d723c194751880700b1dc1c01da4081

SHA1
66f240f503e0b7bc238f0d4e7d84b04121693f5f

SHA256
1dc590a2c47e81b211863bd3a8fa54ed4ff962878f527814b2b8d4a5cbe7aba0

SHA512
3d029e1dd41824b766b5db006ff58105441e070222c6c6e04be393532e328083ac1412a16e51b4aca7c47b5190df5286b35dbeab213e16580fdd9eb08c7ed3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7eaac5c2823583fdf2a3d9336d32a538

SHA1
e6e889581aedf3de0e4c761661a84068ae4ac641

SHA256
f8aa45e5ead7bbc6103cbd50e7f6e35af08177f281ff1c942309a50a553a7f4a

SHA512
15e643c456e160991cf3009f8daff77c4fe29cd90183463fb6cf39112bf2bc02926d9425b0baf3a9dfef41197fc16595ef3d9d2b3abd8f49a3ac0ef6bf938883

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c9d7300dc1b585269027323d5881b27

SHA1
698e735de4f7afdb91d63efa42ede00f62434c61

SHA256
6eedb67996c87af7bd56001fb864897d4ae88fe9d2eec72b4d37491dfa8ff1ed

SHA512
ef1018cd3b7d561bb7bd0d57137c5e5ad6a927bb573d4189eae1dae89886f1ed9a51b8d4a35ae0f92ea961ef751083c1ea2dd20d4a024e7b923f297b59035fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
983565339055ab006c2b2f2118f165ff

SHA1
34cbcefce31fe8547f45925410b10bbc5ddbad27

SHA256
b8b2ad864ccfc5079ae50940323f7eac6c21f22bfeaa11e49486183c259e4e30

SHA512
1e206120f280e3060e0bbc7a51c30cfd5d22974f64f33d861cea737052b52f70fb60e35ae41fb0ccf2df79ac65fb8cfa2a31322743dd1c1499b275bb4d03575d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
72ba227d298b00c70837d9691f6971b6

SHA1
cae6708e0feabb6c4fdfeeae71d132a33dbd1f9e

SHA256
39b10aa8f1d0b6eba22f2dd135655f57a10b745a0d48d9e12a782634b04bb404

SHA512
31ab2311fa77e8921c7c92f1bc45c4a39f065c5f251c3b1da7f58664dc9e1bf56f17c0d7cdd5fc87a2dd4ff3f29a7d475a87d4fe49191a7ce753a929f14eaddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce76535b05f4c2f4c318ba00c4f14fd1

SHA1
b21b08c6286b5cdffe30b2e39acef3cbdffcf48d

SHA256
0feea65796901b1938c68907c22eb34e73de7d85f996f5be7608734acd2367bf

SHA512
180a1e852c076ed1b50c7b953445c6c40f56629242fa6627b2afdbff8968f42d8d4757bf4069cea10856923d8086e6d70daccf498192785584037c56747257d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6f0793b1b1960dc12d56bd8836594f4f

SHA1
9c4a9c9861592363773b616f41faaa421c9968a4

SHA256
806847b37084f044a63b3ae187e76d842d6606299a7c522861c46401b9f3cfbb

SHA512
9f40227bc9d3ae711a29c5bb203a01ddf00f61c918be30dc32bee21c0adf2e85fb56a7d2e410dc60fd612d137c4db2870ed007b247e957f54db0bda63b09c945

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ffa28c770ec4533e6bb409b97983777f

SHA1
87e681b82acceb8bf86143c292f681ec75f8f6f5

SHA256
7e9aa5e410709f9419f73e59a633479b11a876d4fd1fab31f0e829456b61d7e5

SHA512
f3a286d9a3e927f920c3ea5aa24f1250d8430dfb83b56c1a843c2f298ed7667f979e518e6f2ec48cd8bcd29d7aa1a867758f9787900a627b06bf5cf87285df89

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
469c2651c8faeab82bff38581adc85eb

SHA1
785cb1b7616189d78596e767cc0ddbc021b67413

SHA256
1fb28d064de4c36727a541326bc1cadb2ef1055177e8346d7db357ee92d74316

SHA512
b1712b70dcd31f3e161a20424e395c3b6962cc55cb8e643b472f1a637b5fc03ae1601d7ec4c9ee8c203086d7cc8bb997aaf29ac8b420ef57014c5f6d1e817de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2bf2dfb62663c98621a734d086a30d5

SHA1
0de509d8afcc19c447abcfb325801a5145e3f448

SHA256
3829245bbeaa63e31f3eea14b7706909d1de06bdcd34b867dcd38bdf52bba76b

SHA512
add79f654fb09b397509ca619cec9f09a883b36f9f3102cc55b5bf8969546d574fe124a21d5d078d0517cea5a269e3f0954e0c1ac165a3cec1feb66cbdda635a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1302a3b92e9182851743ef4990f7287f

SHA1
b6cdd3e0a4f2047c3783e5c13bfd690cd6aa6c37

SHA256
5a3c7438772f093460fcbd5f3b79f5095be593a7b291f12e9be42500d4217a68

SHA512
0416cb00fec3067a29c31085b9944da7210b53d13ecdda340f97fa9446d8b7f4d34bc9b7f01ca26614573873acc14b45fb494ad41ade841a322e3dc852babee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
701ea22f6f38999bfec4397fb4064d9e

SHA1
92addbda671feb9dcc82d0a721c42e3eb2609bc1

SHA256
c0842a86823a05474ce3ced39ffd0399ff0f9919843b874de1f376c0c450fb62

SHA512
317f3ffec6a364a29cca6dcf0068f9be2a50f69fb6c276a8e172156ac1619e00d5e4c95f2f8c2552b76ea714fafd61b6ef13dee3cdc65607648fe6f09ab6239a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bfd10aa13679c77bfe3ed4c0175b6e05

SHA1
a09f04a3468dc340625f6af6e30e36cd4487267b

SHA256
10d2b3585e2fe5038139408a1faef361b9efad392225fc23b5192ee96455704c

SHA512
e72b0aa384c313bab918161b308eeaaf02363e069f5da93e15b735b47092286c7bf94f35b670a47776590d2b1bb41f31a2a7a8e6797b2dc9d9040b506ee70bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
31ecae0a235586695bcc18ab2836a450

SHA1
dc780d0a389bbe321333f1a052b8d94a04eb57e5

SHA256
81d5ba5f06ab3ff197c9b16a5683fce67a5c7af5b1ecd72a5c20d47f5c8a5cc9

SHA512
c8928f6e9707042512a883a3da027f06a1185ce69ff0961f0106d04b91e5be3ae865996750afae1a489b78c4930a9d992b26607ed95af462c885ee5f6cd95c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
acc9b62d894b4456b59e56cd7be40b4b

SHA1
aa5d01301f6aecaab9b556836d6d64fc25c05eb0

SHA256
fed4f4d052986ed6977d267762b39b1517c127e14b1c507fa1b0b116daf7e7bd

SHA512
c4ca0861f5fc166a9940149a9e3001fe45f5c7d69d6f536b25545c4a0dee8b11d2cdcb6d83ebc5aefb8e20809c2a6c19d424958c6e59d85f954491132a4760dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3ba050a1758ebfe45cb704c491dd9e8b

SHA1
0cd2844fb2ba5a43dacd7f21f0c8e1ee2d68c685

SHA256
5d78bbf3feae71a8a198f48d58db7fb4c4498ff31d7ac6270e22a6279f33957c

SHA512
9059466ce1e4d61c76d516abf3830958be8b3322ec1dfc12358c8c449bf4375f3687807a118e9c5a2e497bff12a196a18681d3e88f5358f73e17727a9ec52934

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c7a918dcfb3f99bf26d25ad5fe98edad

SHA1
e8243e08feb0b7d56b9d8a66c7ddd570e727d066

SHA256
9a12a9e7b1eddc9c6a67abb07d274385677bfbe0bd6c198b9859f2e4c6babc23

SHA512
92e9644028f26d766f53d2ba0134170635d26ac94182db7ec3f03af8bc64a4471597c35f9c1fd227db1eb4fc6f7db9c35ad541a5af4fd3a390477bc547565d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d569bbf2e3730d1bf82f253a1ea7cdde

SHA1
8969d3c592567b321107c3b9b973e61063d376be

SHA256
b1659313fd0b0e363e20c68f5c4164347ff4f084b27380a3b404821f5cb21d07

SHA512
3199a389d00ff114bc7ae1509927735e0d0cf212c6585729f2d67d202ad22d6a4728684b2a78751f085578e99e7998d15b6fbaba5cbfb96942051858276923e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7d5b6830fd7701dea04956e367ab2488

SHA1
4ad948a326845e25ea446021f88c82212dc2e1a9

SHA256
4232cfd8dfb65227abbcc897e1db8f486bf9d32fc09e18f95ad4d416a6a721aa

SHA512
6b5511963f8a4f33cc4859c45f692c35884964b44c41efe8fcd357c4f81111a6cc7b8a6a808d40db3b7b3354b0ca07e6fb2a5b472e8abb5699f813371e2a5a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
46d86ca93adad3363de1186fa68d1edd

SHA1
eb039266e9bf60f59a379e6f1bc28fe36278073b

SHA256
141ab6be08aa371a6fc4c71b952481a3daa126eadd8f8e711089c520292c99e3

SHA512
80d389f8ec5e8027d29e8e57010aff1b5692b64b97c74b4cc9180da545490087c56da06fc6bcd7b713198b9d83b82b5e60a2905d0b08647d993cd74818900318

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
64eaaad391f4a1365774e21c3e5c5046

SHA1
e54d5a3b2b90649e92ca2c7e9bab9e224ae0901d

SHA256
20280fcde8f0b2063b641654d662755eef0785f77cdae701c77fe0aa3b9606ba

SHA512
f492cf60e8343583ad6499ab4bd25c14efc9b0d701116904af993c44e2d4923238b9eabaf5344cdaa97e4868633ee15a6f978726de9566fe0866937b6ed6911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
74ff848d5cd23a05e8567b7a2b6dfea2

SHA1
f21b0d44e07824394c12955108bb0c8ac8537fee

SHA256
477a12c7b9f172c4bb47509f7517a900652fd9b31f9ca5d7ce6c6d0df3966bb2

SHA512
f1ef693b7468e3c69ce1134206b539c9a77f87ea9b715c5a9182f4ff6434353c19945f3f1e17452f1755ca3ce0963b26f13e4911375704b982186630a9ed4519

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e6c950284bf6bad5e99f74441f858dc

SHA1
2b08ef0e6e72f2e1209320e008e08dff85410036

SHA256
743cd0463f82d39feb81983057640244df5922cdaa6fac6519553f05debf946a

SHA512
5dc2c557bad91eb9cb40baf7bce396b8f1c78235e270f6d21dac1bcfd2475a95bcc27b8605a2e650e8bc933fa23ed8d179c645dfd3419aec896a78c1ddce36e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f29480b9defd4993b7ceb4f44b8b0946

SHA1
b3a28d1d7d6a56a1002389d4350495934a8dcd02

SHA256
8ef1637631cae55c01f741c65f676c77c1b300f65cf56dc5f03914c8e8d35f98

SHA512
4dcff07a7babd2b6c1cba6368e7e6874192a77be1cfcae62c71e3f35fddf0742ecd368ab991bd3e100cde25c77442f52e386fdc7f062aff690802a10d0749e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
99f39f0a48e0e593b8f8706e59a30e16

SHA1
fff0e2b005733750f38fbc6ce87e284059c97f31

SHA256
fb03c1ae3b811216358e06b662e25826d7abd2bf9627c2eae4971c773ebfda6a

SHA512
73ce8764b89797712e15eafc5389bcf0e4ad212802e66e03edab0e40f57a185bbbd0d5a48de732e5ad1db14dd018ea1229264a1238fdb2f591717fd6f20a934f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9858b5bb7809aac0112ce49534221b73

SHA1
0773310fb9b36ddf996efcb6cd758753a09542bd

SHA256
9d6955273a785b816f0f86cc4eac6ae713a7db68d2027b8cf80ae88972486d79

SHA512
1d6ccf7dc143b44e0c8c1d69e29c50e5f0cbb27f8cbf12d3b543b8e5aa1bd1c20f3de6e5217105f8345fb8a98e44fe6a93d2fa2d90239bf60f23a1045ed11885

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bb9f72fe21dc7d96cec17a1eef5586ce

SHA1
79af3a1906320ceb7eac8456e85263c7b4a973bc

SHA256
005d83d6875466c06367545f3d629cb09bc8e8916409fc4950d21df90b293370

SHA512
32db0b17a5959b061ac8870adcf382052f32e6ff2b9ab0a3efd6309a5b544b935f607cf58d2d5873eabf8727cc1c89c42c83f5fd77d0f593b62a4daa6c1546d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
33bfca084fe7d75f572d6fb9fa341d32

SHA1
4d822710e6002d8d527232d67407ac2e3985cac1

SHA256
243fec092d2b8fc61b32cdadf669dcd744994e0e3658c2c52e66794aa321999f

SHA512
bbfca3f9063aac403a887fa000fdf54d3a0819a6be34a1f30aad535ac4a8c25c79a90c758800e033ada8a2cc89101c22dc38cf3073dfec689793fca9029e12f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
447f53c675c1122a68eb8516d91662c9

SHA1
f8d7244f3b3a1a3c44cf1230cf3e0d0c890e6f7f

SHA256
31f6b6c377ddea7d869b986a302722fe92b8a84268772051f2f74aa1afe93599

SHA512
4fe61709b90c3809da4f82532e187f2dfd7cdd44f42edd3f415ef86820a112fb46e6b25561842dac3822b523a6a3e8eafe89f4cd383bc4682122c263bf056f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
472d659ed7547cda2d1a99abc7673882

SHA1
0a63f294c1a1f88671b3d3aad4cacdb766ab5baa

SHA256
a3f33f82be29db7ca623ba3a14bcd8b2281ae9b536b6c17b36a780f06d91ffab

SHA512
7ef3598b6f9a31a4fe09a06d26d9ae216cae0f38463519fe8d7bc547f8f10f86180c5f4352aa1d41596b07037927101c18a0b0b92753d0a5f0d7da5ba6cee35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
95354dd7a80de7599ee734c0fe108b77

SHA1
037d8b60b0b0c3d5368925f6dacd1d989316189e

SHA256
88f00b591fd951dd1b25f4a6a6e34797ecba81c338dcde0010a6599a6bd2ef63

SHA512
603b0ddd1883ab8b692bf7cdb8c10504e58ca2c2321b93be4937f74e1c7c3642e8f3cd62f01c4663af851e6b2ce3370ff6e5d2ed55b8e816fc22fce038d4de9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ec7b6157e2b00cf19acc124699e2b552

SHA1
332bf2ad0c84e633003611364b5df94b0dea0932

SHA256
a4048d8117a28644af1e2916ecd3d4d245fb80dbdf7f1ca7254b538acdc66bc5

SHA512
e4c9b6d0439c12ae44c2259dbb85a5b4fda0e226cc029e64da67d67cd960b50f7de3d431136c660533aca65d4495652773442b9c46ac79d47053e44d175afbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5db9942a04162b4689cacc10725fb5ec

SHA1
e88ea283b1d1ba582e0122c4aa793208797ed4b9

SHA256
65b1c603b76a1aac395cb976d831023b5c71603a47cfa1bbcc0618cce80dcbbf

SHA512
eb1060c0f9a6360dd2b1f5cc6b240d45dc04581b45d27286421609250c6ca1f1f202795aecbf4b66bc6f1c38abee1b6a1df654e76a7fb76cb6248a2860e091f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a36eb00c60ae8fa697bd8828beb684e9

SHA1
8faedfe5b4533ed0d905b16bc8b34daac56b30f2

SHA256
9aeffaf95aa88848897ed550718c8e2894011a20e91e0d7f8d742524c3a6fa65

SHA512
eac63f813eb8dcb3b43453ee809ad7be1a7c1d9dcf6edc1a1092d0ad7d1aaad8f86a36f597294d2ce5b26b840451c923e5d37894f53d38b9d4f7ad547223ff66

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a60507118843dadfc82144397f6f5621

SHA1
deb31a9b286608c087e41b33ad4de7b17e52d953

SHA256
5c1ef0df508934955105ec8353b6e1b3a0363ae8024701c1441a2613fdf18d31

SHA512
4e5672f7a46ae3e16cf5e6b2503fca199df9f1488cbb337ce5abbeb1b9d1b17b4b5407e3c1f1591a807e92e26d7a3f98cf810c7821693b6fb445c316439bc4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ef6ec631eaf87420e8096697286f0a7

SHA1
1f08158960f8b5cdf6c36b3fe9802e08f18cea6e

SHA256
be36b62b81eb408316b3d8992c2abf4eb92b6c23d9cbe8043266a5ffcb48ccdd

SHA512
75ede43132a668d8d34ecf6fa6aea7c1526145a7532acf848a6bec90c50f5e8293adea03919fc14f785a8f1ab0015a9e8e5744cd28f0ad12715e61d2c1167d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8b3fb3f50241a72e7aa0a80f3c2b5885

SHA1
830aa01a5f01ee73990b5f8b6dc20b0a31bfe4de

SHA256
187678c51d5e951a576ca0c9dd1bead721a4e4cf507eb5529c7aa755c449ba9a

SHA512
ac4bea507f8266502a0c2e262de5c426b7a0e1088346298885a8fcd3ebcfcde14044e7153dbcc5c2dcbbd106f5268f78a948367190a1a2fbed8b723c87ea9f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
deea52684d433f8b55bfc4611f07afed

SHA1
2b73085341edb2740657528116d18f7baff9f21f

SHA256
057839292dbccf0c5a53b6ebe3cdbb1c1ad360e94f1c6afb60c6d84b45c89015

SHA512
25c32635bc521dd8729e5819c5fc9f759f06efd3c593ac39bcc7db01bf07e04791e5bcd23ddc0e6ffdbd4d6faf76397ec87a554c0c4884dc9eb989f8484b3bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
55d66467a78a45a5ce3f08656c0eb12e

SHA1
b21e06adccafab385bc932d87ff17c0d60a3118f

SHA256
2e2f7ef34bc636f1aeb5778e854bceca9f7d0ecde562e53bfccd07dc77641a68

SHA512
d300887413813ed6a9c7f06d4e9fc3e1e27459c60d3bada828b160b9eba15f4adf33d664eac9c2f95b40e2b69c4337b78542a3068430774b414d3c0d57a9d0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
037d68119e459b7d494c1c336a461d73

SHA1
77787b613cbc251beb1324b340504b6158f3ad4d

SHA256
841c8d4f4a2bf665807c635c436934b8c5b25c292cab5b40ccdc8d2a17539341

SHA512
bbbd3fd03a70f375c8e2fd6f7af443f5329a296a28466462948f6d4681e8e1b611fcc739d1fa770fc9109ef6ba74fce33a1bef2cd11434caa8ef870e5047d9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e2f32132587d4ae8f57e1eef4295f3c6

SHA1
3926e051b50da2ae741bc23b7823697ad1f3f1a7

SHA256
f8c671867ac6d12d2e24e0cc03fa988a0b6b14ca86f8682eba5031ffbf01d653

SHA512
2b9a86492a25b59b3f639c1d86b762daca7a49e9f5987e951680c64467e98f382a0b0edc430266f42ea3d00c4152ffbef4f733fc132e12fed32f7836bfd842d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5fff91d526d32f001745337f6c246929

SHA1
e2ddd842aa408548e0983609bc618513fc325ac6

SHA256
b02ce94f5ac5f08358a21bbab2bcfa50e6b29941b2108d35d15b901c915f861a

SHA512
ae43ca3421223f5b271e281b1674d2537dd227c4e5ee789bae707062bf70cfb7c24ed8d76a053cb8747648e77490dbd8e1bd4d463b20293f6e852922c50825c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d12f050592860c72e0a24904d9ed58d0

SHA1
53ee7440346ccd3439fd02aae58efe092f6d8871

SHA256
4248e7cf540e9c510c617cb49b97e921d2de126446eeda83aae10ef4dec68174

SHA512
ca9d3fa36681ced1de81d38e94d10f9d2886871221e95cfecf968385b44746c90080bec380add596d58067b09471ae6c17f322ceafd0c894b2f8e98671279e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
799386a98620ae43487c8098a5eb616c

SHA1
5b0bd7680ba4a88ac47c963f1cacd47746e94b8a

SHA256
f1ea8f783ffd7ed7c33733c3cbed6d2684618637a9b04f3d1213838072ecd000

SHA512
36e0b73d1516d3763be1b9cc03bfe82263b81065c537b0289ff451e19d6104909671dd40aed73e4016e6950e263162f58a4a93851f18ef61766f1ed216c77fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
14589d8af13c3420ba9f3dad656e4d49

SHA1
83de0e50f98f12ab96bc7cf6deaeabd930e0ecfc

SHA256
be6d1efd0746ba04c66938d87c7a17c99523188b258d166109cfba0eb1a75992

SHA512
35b214f89234b59fa96fb806094e59858266396d3d8b2c30cdaaae9917e6ab1943ac921dc615e9b4606bea249ecf98404ffd96ef6246a3d8fd45f3635b63197d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce4ec09c5bc9b5b9c421252a39010f28

SHA1
7f2c1623ca279e96134ea97efdb2a9bc32eac49f

SHA256
2e687e2ece29b1f3dffa0421ce0e5dc43d6e4f03c2567511f84c3bae8a79f8ec

SHA512
f01acef89fd1692196d249911200b632ce8083aa91295f2ab52876dc5a51e3e66255a2f14653eca35f3d31a1bd6fbb135e91279f3538aa7e7c4886050b950210

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ecdb4f73365e83a563b1d97a9b07d9d2

SHA1
51e357d5fafe84f7a792bcb466a6425cdfcb772c

SHA256
137fc57a1d377987d2e9ff793f26dce609c112da0ea936b006a8619edd3fe759

SHA512
ecec65c4a0c60b1ebde37d38018ed37ea5adb8a0f4a19b4027e25c4985544d89fd764105727246272ef350b4aceaea4d142aeb25b58d8f82a4472b0ea86a04c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
24082d719f898ca37e47d80943a8a8f4

SHA1
93d5d19254b9d0a59b626a1a627fb07877f81f3a

SHA256
ba1b5cc51c93e8d7d0b8f237a10e2e28c27c7b2729ebfc6e7d230af529fd5446

SHA512
8adbbddae5c912bd314f2bf8cdcd258e0b859cc3aecb2e681460b716530a4ccd5942de27961abdd6ca7eebb673a91292f401d733046da0ef2ab128d4d5afb9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bc775f82b52346374c09630800406dfa

SHA1
f6550046cb29ec74d793be482ef9f34663eab87e

SHA256
e5397a15bddee3224a9f03bf5dcede87c21c8aa72b7205d671cbf1fd7878162c

SHA512
44a283dafa1067edf9620b9bd8f121a089965715f238e11df64a4ebb643d7fadb222c14eb0d9623a4bf68a67ff08b441c237dc0896fc22ec8ea0e487e2082a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e0dc0d974021e326c3dc3aa556d16957

SHA1
c02fe36cb9b43db3d6dce81a79f1ea13b8e14910

SHA256
553d56412af88fc32d0f2def83b409dec02bcb3d12fece01f41bb988014b78df

SHA512
f4ffa853b8033e346571ad6148427b3bf585e4c2d0c8ca7fcaf7feae2f25e70c1ffd0d18583e5465013394851fdb3d572f7762846275c6adff1b1889e7dbe70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7382e22f38fbc92dd1e21a21b12fafbe

SHA1
7510d5e7d0543ffc07bc453eabf7a915473ffd79

SHA256
7423e0af95f4d8398c4cfab8c5b4f4e0adc6d8553f7b452922a9d56172cc4fd5

SHA512
23a4535160587ed313248ba5f038d08c47fb2d30d42fc7fae814ae536c4abbbf1ca3dcf8f9104ddd590c5bf1cefd214d133b0bb8acddc25a492d753998d8e15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
40535ed078e4a7eb18ae003e6cfd360d

SHA1
e0e035b10f88bd09d2243d80d4ddd203207d600f

SHA256
2f7a3b252253323ae098fd5397f188070179868e434f0ab3af08fbcacc545355

SHA512
b64a73e6716295ff216f7db0560b8537a0b98d0edf5cf6946f083d5d7b97a221ad798a662a4f2324c9105b7f435e7aa7341117b241eb71cb01e2efdae1718e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
197d5ad7a56d3a99442404eadf29ce66

SHA1
50a9b799cf2054604cee64d00a63a320fb0b257e

SHA256
ab5bcf6c6c52127efe58b21bacd6fcb58dc35f9f612539ba2544ae79e1a3b02e

SHA512
9af748e5cce3f12db08ad9fca47987b046b8dfe4e2f5d6f208488aff6efd66e4f3ed882de3098dcd9a30d7ccf430304e617d30d8df1f997458aa760a861838e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08ff54d656e353daa36dace0f2ffe965

SHA1
3fbeb82cad58d98982793469ee6a003528999b63

SHA256
058170f97d0c3e067266c7318ef54f9ac8b0db5fb1a65c952b48934b39853948

SHA512
52d5648d6f8e373144edc7d943a63021d936c1f193b656f080ea83d2b366f7db1c3845941c11b5cadb27f4facb035ce90efa36c0c80738b556a8773a244a401f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
733d5450248804b8ae6ee7a4a6d732c6

SHA1
b1ab81b425b274308dd98732bf1f8c7b33d7bd08

SHA256
8361a76f8e32c0188dc8744c3a7f109cbf3849d9be1744f10b07603ece4155d0

SHA512
4fb26377e85d8124842f2952d3c945059812cca0205c41d193b123acf8433d3c60fa697f03b824ddffb0cb0d7ad41f0f5d56a9111b6fbc28162ea71e94016122

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ac1c413de1d932341804f9cba5159a1c

SHA1
7e36c08561e915561d2ebdfcfbf9dfdd8bae976c

SHA256
9f8cec1566b588a4cd57574a71565870dbc12dcfbfc7669062ce57e097411f7a

SHA512
7b51ba579af64f22dc332d4691ceb495e69c2416afe25f6bb1c82dc1aff8262dfb5c46a67c806f1a2421e9355b1e3399eaf4461cc9ebd36c8bf89ff2c3daa198

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ac86f9fa068059229251fc3bc8428c9

SHA1
72e62f1ba82e9acebfe270b9c4cbdb0c67d21ebe

SHA256
b31941fbf60880f846b2df6ebc8e4ba5d4e7dd1e7a727fdff279058856e40b05

SHA512
54b2e7e4de316a97d33dd5395a1c13f9a25cfc8253d0833dee41a6e31b7f43486ca7c61beb4529ab747d06a36e0c8ba92c3c109d6d97ab7a785a50d00df2b1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a457e979d880f66207a869fbc530cf5

SHA1
a7cdb73b1531851cb241f25612bfdd79faf040a4

SHA256
832ffbb6a2553836f601a95e961800388085f2f09bc6962afef9fe2bc2f1c5a6

SHA512
40231e0a0394598023c6b01c2cd5d2f8538f6bfeb56f4b5d96c305f52c1ee5ae54f60ccf75a825ef8ee73103ed3528c93b3af35a14e33aec9514debc4f957d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d01525d6f40e8833bd1850a23185e652

SHA1
454f77e5cdadded240598e6d07e26d1b490cf109

SHA256
a835c3d147b7c7bb5ce038d21873dd813875af6f4d8fbadc2a6e91bad1ac2758

SHA512
144c000ee5c19e93d12b9c9e19abc23cdbc3dcbabe7e4f22b7555ad57b2ddebf6e86d013e94c9316cb2f42c12421054e340bfc12f859ab24424e1b5a7e7f1a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e97f38fe43f5739625e847b162ec0ece

SHA1
a96781a37a673032f846fdc57be1c2ffe101e862

SHA256
7c77b328e4335cf1489fd00dba0e522b77463b5d5dd0363e65f0a67392b59e40

SHA512
db829d936e07e6c5aabd2629e045346f50d3d2b187e3fc2b6b3b6a464e402c6889ac46b65d7128fc819011aa5ae177b2f67b30514d9712384274b648dead791b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
516919336aa92d29f536b775f10c9c53

SHA1
4dd9f8592217f81ad60ebd060e541b3ffdec2a2c

SHA256
c72c27268b60a669aebc781fb34d392d8fb5ae3cb98677fffd6dc0bf48e87376

SHA512
db694cd0a4b0b6937fb9e6fab8f44235b63acf69c6d28e841183f0637e70147e561b4fc97e0ea3a7c4ccbc5c8b9096412497bc98a1caa7ec4cb6185450cab763

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
331433eb3bd63e83f25ca9af0c6befae

SHA1
bd1f3c9c98841598b36301be16ea6663acde1ef9

SHA256
ec7af3de8a4bd8d0b317e0306e1d4da5031dbe4bfcfa8c123b96653f812f9538

SHA512
cf50936a45b1e56422bb65fa71647d10e493d9b183bae2ceae8cc4cf33131f86523f1ef7ab90fbca3b07aa0bc9272393f1b44d2c7633062306017e15408a80cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b10b860d0658b4b9951b200ebb72400d

SHA1
698a7a2dd0354a1e6461ace839bf84973693a320

SHA256
3abff8eaf3193d5a9d6195208a933d6443832b1a2eff48f6ec16e42d38414b69

SHA512
43f521defd71d9f0a897998eb6b8a06fc4ec3c4ad9cc29a453d2d0c6b6666c6ff3e52bcc3a1271a62b94db1f615a01e3dab6be68f74189f1e60d49014514e96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ed17a5d32ea1a81c50db3437226709ee

SHA1
3d7ecf11b9e8dc79cb4b266d983e579c52f4f270

SHA256
82627e76d48e34ae82b09009582b1b8efa4b2f78e91c97651199ba272637834c

SHA512
ec11663da2c2ec39b28e05f70109e7a5aa65a230b7852e9f1396a8e378af92d209b9220348dc3ecd3ed067cfe24e063773286959f87b15db3002e1a8d8f9afdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f87e8140003175db8a4ada43d60caea

SHA1
dc229bcb4b0dc3a520c5c47fffdc18a359dac292

SHA256
8b86ee9e496ccd9f209422e88446487cab08f975c592fc143d377792dcc6946d

SHA512
ae6a16cd5785437253f5befacf5c4d7a0702c1557597584097401843728bfc2c9808ea8f62b9981cdb05bfe46735df2dff14443c4b454c0827a78d3f85843a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a44f8a120ee23cef29cba07acf4a46a9

SHA1
cf0a730c01daafccae723deb65d2d3dc491be9c2

SHA256
1aa44c78993416e5b71cc066730f81b45cccf0d7ac675f873bb253385794bea9

SHA512
51a953048b4aecf77bad6323001b08870a181051e18897b00d10a68506be7cb540127d3528eecf57f6625cb0652eb974c49bc385d54f93f69ec931f0211e9f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
280cc379e8cc3b8336529b00a9c436ad

SHA1
123fd1a6aeb37c474292606849a7dc54623b10c0

SHA256
b47a05c60ae78ecf5b290b2c7034bf70b34c622d77915ba8fbddbd0235564524

SHA512
185d0dedd2fdccfb5861ea5a3b2fc7809ec0390b408d9931bf55453597986dfe183c3a92de0dd39587d5ac4955b2d3b8855db5d9c18f8dc695b8518bf65f57d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
29557ff7df4bf0ed590884f2b75281de

SHA1
57f65f5128f42e0e3618d885b994017204e28d28

SHA256
f26a44f79b88c44d8f9c018799ff0e8abe88a0a510edfb804bfb763a5823c42d

SHA512
b6aaea0d673dcc7d724ac2d9146f7b8d2113a713dffb94db49bff122ac4300537c32ce5c3cee7c444c58db0920c761b664b6ec7b28ae5b2e44ebe7c7a88de42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
db94c1bb903e977917cb1a04872b6c19

SHA1
00bdd33797fea4c33cd4396ba545cf1eb45702db

SHA256
c22821209cd1b534f1c076f6cfc9b735fc1fc4405559326992e1fd083b0dac0f

SHA512
f486b23e065201c2df032b4bebe6aa12fba84d73465fc4f4894bd15c60f321e66d9275e2373be930e319a29275bf3b91fe5b64f30232a1fe56c6d2487b4e330a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9254796b408a2eef51826ca8f5dd3e5

SHA1
e78c6f8bc3a5827228f9809c41af0e1f26d9af8d

SHA256
12c446f2c26e60b6f15cedad778506b6600a1c5e5e3f855b802baa4fc31b7cdf

SHA512
db8380edbc043aabc6464a7ca0e150dcf682a7b6ecbee8acfeb311255740a8caa3feba128e9a0245e4de64fe3ee1f62526d4a85828b1c49ebcc2249916fb38ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
629be9842ecba401a7303dd0709472bb

SHA1
3e1fa25fe360367f4e45d2a22d3c18fa0f05d5e8

SHA256
781dd3c5cdd62c8fd2c6291e3ba54b582a123c293ec492c717170889baa9717c

SHA512
cded3ec9b3060d50e45a8fb82f2ac37dfd6857b92fb64a73d78e579a0b91fe7980612066e97135152112c2a70b4121f5e724b83eb161eda8b0df9e05405bd893

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0fbbd9289d037ce60e1593b14e35a49c

SHA1
9793a96aa2d7bf206fab2eb61426bf00c634c565

SHA256
5237b906a1889ca636cae80d8645748f6bdcd2acc5d8ffddde627fa2a7b9101c

SHA512
3084b7b3d4fe9d43092d0f9e97c74713b74ca6f86c47c754bb862b3df214eef8762363e2d40c3ed140243161160952b5bb4c300b24133ddbe1aaf05b63fabfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8645c909a76445e0a445151c395e062f

SHA1
2d72a6a3e9597f150a9c031f76a97717a3b37c3f

SHA256
ecf32d7b17cc7e2a924d9f499a86fcfc14f5e106d7534a24aa546ff4eb8b2648

SHA512
781ab4531084547e738cb2b09e8d1768b0a45bc6e9636c6bc4d27f6e06f9ab5e1e8d8287ec388c5dd2ba0dbf8f12356f00eac4f7cf120983681d0bbfc14bca93

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fdf282f36340c8d53d88f816fcd5f623

SHA1
e54ed576160a0cff258492ffc9db4447bb63597d

SHA256
c5b2691d260640d8ddc0fecd31293db7ffb9e93624d77b72fae8757211982914

SHA512
3eaca40acb407b5f50247f2820bb6774722ed5c184f6db9cffdba5f0559b375165a93b6595691c52ebbb454e227c8a7b441c8ae0c8228cd5b3bcb6c1da6d8e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cc97763ac9a625800e25283e3943adf8

SHA1
cf2a60e4084e4e64c61bb3ea4f43b4c6c4d2170a

SHA256
a19d2cfc239aef9050b5e5d5f2457a2c7b8af702886a87b99ab70c2e344bf3aa

SHA512
0ecb0be6aaf56423062e0e10909f93c8c580e766114e538690b4645b69158a4dce3153a913f1ad55b4c717bf06e773d5982d67b5137dd944f57884924905dec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6e2d706732724aa03fe56de9adda71c4

SHA1
65c319f1fdf592bc6bc2d2c6217cf363645f6e53

SHA256
9d0709f5383ff3ce48cb742918a914ed7db67f2676a7be897e52a88ad35532ba

SHA512
e97883bae76cbdfe3a56559e72c832c9c337127cc108afe1772f7daac46ee8df9ef30d0475480ad0037ad96b12a895e3ab0b1261f202ea0a07cd55d600d29eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8cf48c55f626a1b21202effa62f60d1d

SHA1
8e5ca4137a8030bca0d1c7417beec9fb2ced2388

SHA256
d95d68b3428bc8441bbd2e30685b4c09d74c0ba94c80769c49fa5370408e0316

SHA512
d8f9f48b381329aac22b3943c30e0fb7b3b4c41e2430393407055280a709b2c29ce6eaeec259cc57b344821e614c4f8e8fe2076ae9a03889aea718da5710201f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e48212d006474cb959f9ee504c111441

SHA1
c06a4f73ecac6ac463a7fb87ee42b4dbc1c0ec83

SHA256
4385ccd4d978b5949f70bd92c96bb6c845cb4f9d4845cf8f396d94b7ada32d89

SHA512
dfe88925573a5941f90546ae18f6cb024b1b0f3e5ceae2e322efef0f2a5fe3470b933758801d5fb9f5d6ef5af008842e7c177da2a07b961d900858165e8da948

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e15e5f4fe3f69a7589394996cb7b660f

SHA1
d9e7a152b28ae71144544126002c9cdddc89c985

SHA256
4335b46289d4d9405a408469f034d46d8335addc21872b8981566691082a9a01

SHA512
d5184e6f6b464de89357a062e15e8e2a9774c981472d5563f41aed5b89a10951742b9d52290ba0b8517ef592453f116e15d022573d7c297de5d40b8fb19df2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
69a0246595101ef6fec686b599af1b07

SHA1
fc02fd43360011fef2d3bfe3a43be83b37bda704

SHA256
d021506cf11272455dec0c17a524626a76ff998e78d7a406cf5b1b5cab4c6f78

SHA512
f36624ea6c8f4900dae3dcfd6e00cf5bc24909919bdd62b93724ecb18fc50508b1827796fb6c1ac5dd76d8e4beb45a55babdb9ab696e8b6ea2fe6ffdff4dd37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d2f2b6be036f9367d2bbffe60aea8bcb

SHA1
9d6d0e44af24240282802e86154e5ff6124d50b3

SHA256
cd1cd3cee46ce83ab0dbaaaa4285a7f7ccf41081676bcaecdc918018656d3171

SHA512
e7d93e4022635d9acf671356a5884697ef7419de3a7b03a09a11b765faefd98dedf83b87bfbbb5d96eb55e11160bab7cfbf380b60e074019bad399e047830ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9a8fe708d75c07ce19e48fff43d25231

SHA1
c503059b5a472dc89d086335bc3d1d57cef68002

SHA256
c2e0a742e8c15b9aa21eebdb328bc28e9ed374e6c4f54678d2a6c4ba1e7a03cf

SHA512
7ebbec0b43eb7b8304e42322dcbfe82968a3867500b68434eb78f4871cec2cbaef23baaacf40d09224acd999cb32316a377c6efe9018c845d69143c90efd9ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
203788cab5653f43856bd1321029cdeb

SHA1
991d041cb2bfe744882e31aa72581a081203dd6a

SHA256
9349567f78859397d851ba507890211c115105b673ff1cd6bb5213bed633ad25

SHA512
736fadafd08de9ebe39a76c00c31066b079465450c9724e91b62b99db81253db2d65f80dbe0f4656e948c541e98ddfca904943ce7b4e3778ec0239e8d066479b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3a53974a68195b9733ae45e34557cf5a

SHA1
f43d24577bbf1b715157e31b0805e981293f846c

SHA256
0ccbfe9e6657ecebf6df3c7f153ceda999b67d4269508c037b13f6f9be13bd10

SHA512
73df984057c75cd0f06564c8094404d15def3c961d06ce0b7bee7eae6efa3bce06eec524bd233f180cdfef61e3be605f70e168a84c4a0ea99285b1e1134f96c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ac8ddca197e3986ff911599660fcdf83

SHA1
a2787d027a0ddc0d8cf3899dfad9f52d9ff3ff40

SHA256
cd15cf6f2cd16faa548afd2639e5bb97a7cd054ccfabcceb706f4ecb832a29ef

SHA512
477a1bf1d1c60d8b856368803c8ff3689650a4b5d37d6dc095dbd053a9079a57a269e967bc9540e6ce1a5daa30d2d5573b4bb00d9e584d288c0ce69da03d14e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6cdb1bc4a729fec6ce9c502c1609d7d5

SHA1
6ed9108306b1979e3ec52ff87c5aaebf1b63eb1e

SHA256
5d7f529602f788f6b96582f08cef5b52212c16c00394ab8628a5253fb87cdc03

SHA512
4d0a431214e04e800c906de9706b357dc3891d8272054038f217a2088034d1c3117f0907bce3dfc0a5aaad8d23f7606227c1cb507a34e08a98ec854976f3d17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b51f774455a97ba3cfac910bf0c637b7

SHA1
86da41dfc292bd3470d8a95279cf392ccb5041c2

SHA256
cbe9f0416f54f368966ad97178437e8e7479db73d0919e628fd3331894b754eb

SHA512
7db6570f3f47ea866fb2aa9c922a0886d892c4fb8ed61225c9fd0ffff0881b179cd4b6f0f9ad537934a2a22a0df2aa17b8b0a510165b0da290cb08d7d56056ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5d08c8ac73a23906b3452f64caede5be

SHA1
164a61fca9d161a42b7d3b7627bb5fdfe075f562

SHA256
9bef2819eef07621aa20368e4f64beb4d4753e8888ed1134617c93c5b0ffbcc5

SHA512
35ff2e05a171bae039ede5687adcf866e004f55653c78999f340a0e3e3e46e25aa2929c724589fdf9811adb23161ea14b3c394db794aeed6e056933a68892c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8bcd69d228991812530b79f99024a00b

SHA1
50d22636b3ac63427b6dae03a1fc35624c58d798

SHA256
402483951c269c249e8293cf8fc19a72fc350100cf0889ffa9868d17cfc673d6

SHA512
d87c3b1a3902758c2285778a30b01ca95c74783bbf0e85add4d4b731a880d89c2cb398f29ffc8790a647c82d9aa580c5f7d6b5d1206630c139f2ded8fb9a1c19

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
\??\c:\dir\install\system\boot\winime\mmngr\winime.exe

Filesize
305KB

MD5
1bd6f2ecf1190edfb6282aa9d27be2a6

SHA1
67cdb36fc56ffa7391134da4f66c5c7cd30b3bb4

SHA256
62a770c50921bb6b3b08e944c418254e04439a236a333ad8318105fd571e5dfe

SHA512
473160a47c75f72c103eeeb71de184ade8e135f53509221a6326b3e91ee68f24ba244cd26f5ea5e7bfbec26daf95a958a92260f321ec69db8266947d86f20925

Download Submit
memory/1956-349-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1956-208-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/2428-154-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2428-20-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2428-19-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2428-80-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3164-11-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3552-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3552-3-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3552-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3552-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3552-18-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3552-15-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3552-14-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3552-5-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3552-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3552-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3552-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download