cybergate | 74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859

Analysis

max time kernel
120s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Size

961KB
MD5

c67a1c0ea5ae95b146f7fcdb65824440
SHA1

2a2b6ca5b2572b829879b299017ae73119919b96
SHA256

74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859
SHA512

a6eb0735668b8318667b6b5ab00cf603407a511c50534b3324a41f90375346c29907ceae42f507598a31bffcb94b8997a90125578467652fbc27e9462d33ef6d
SSDEEP

24576:kYd474mfxouZ39KbuXuHiR7QQcI8JOvT7aRgACGhV:dOPfKYpuHiaQcIQOvigACC

Score

10^/10

cybergate off discovery evasion persistence stealer themida trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

off

Sprite089.no-ip.info:81

Mutex

X83WK4WFK6D8R2

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
Error
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\explorer.exe"	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\explorer.exe"	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I5VN10N5-TCY4-MW3M-0KC7-4QP64JDH1JU8}	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I5VN10N5-TCY4-MW3M-0KC7-4QP64JDH1JU8}\StubPath = "C:\\Windows\\install\\explorer.exe Restart"	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I5VN10N5-TCY4-MW3M-0KC7-4QP64JDH1JU8}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I5VN10N5-TCY4-MW3M-0KC7-4QP64JDH1JU8}\StubPath = "C:\\Windows\\install\\explorer.exe"	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe

Executes dropped EXE 5 IoCs

pid	Process
4804	explorer.exe
3932	explorer.exe
4232	explorer.exe
2408	explorer.exe
2988	explorer.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine	explorer.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4780-0-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/memory/4780-17-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/files/0x0039000000023cd7-74.dat	themida
behavioral2/memory/4140-129-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/memory/4780-148-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/memory/4804-173-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/memory/3932-198-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/memory/4232-203-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/memory/4804-251-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/memory/3932-253-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/memory/4232-255-0x0000000000400000-0x00000000004F3000-memory.dmp	themida
behavioral2/memory/2988-262-0x0000000000400000-0x00000000004F3000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\explorer.exe"	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\explorer.exe"	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4780-4-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4780-8-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4780-67-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4536-72-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4536-119-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4140-150-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/4140-215-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\install\explorer.exe	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
File opened for modification	C:\Windows\install\explorer.exe	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
File opened for modification	C:\Windows\install\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
512	4780	WerFault.exe	81
4268	4780	WerFault.exe	81
2216	4780	WerFault.exe	81
4768	4780	WerFault.exe	81
1468	4780	WerFault.exe	81
1196	4780	WerFault.exe	81
2204	4780	WerFault.exe	81
3116	4780	WerFault.exe	81
5100	4780	WerFault.exe	81
1604	4780	WerFault.exe	81
1484	4780	WerFault.exe	81
5052	4780	WerFault.exe	81
3100	4780	WerFault.exe	81
3464	4780	WerFault.exe	81
2388	4780	WerFault.exe	81
2444	4780	WerFault.exe	81
4920	4780	WerFault.exe	81
4524	4780	WerFault.exe	81
396	4780	WerFault.exe	81
4232	4780	WerFault.exe	81
4956	4780	WerFault.exe	81
1200	4780	WerFault.exe	81
392	4780	WerFault.exe	81
1912	4780	WerFault.exe	81
1724	4780	WerFault.exe	81
2988	4140	WerFault.exe	137
1612	4140	WerFault.exe	137
3544	4140	WerFault.exe	137
4348	4140	WerFault.exe	137
1924	4140	WerFault.exe	137
1736	4140	WerFault.exe	137
1608	4140	WerFault.exe	137
1256	4140	WerFault.exe	137
2528	4140	WerFault.exe	137
2880	4140	WerFault.exe	137
4324	4140	WerFault.exe	137
1848	4140	WerFault.exe	137
3508	4140	WerFault.exe	137
2192	4140	WerFault.exe	137
448	4140	WerFault.exe	137
2364	4140	WerFault.exe	137
1648	4140	WerFault.exe	137
5008	4140	WerFault.exe	137
3964	4140	WerFault.exe	137
5020	4140	WerFault.exe	137
1932	4140	WerFault.exe	137
5012	4140	WerFault.exe	137
708	4140	WerFault.exe	137
952	4140	WerFault.exe	137
1644	4140	WerFault.exe	137
4484	4140	WerFault.exe	137
4496	4140	WerFault.exe	137
3244	4804	WerFault.exe	193
3780	4140	WerFault.exe	137
2068	4140	WerFault.exe	137
3052	4804	WerFault.exe	193
1536	4140	WerFault.exe	137
760	4804	WerFault.exe	193
3592	4140	WerFault.exe	137
1436	4804	WerFault.exe	193
1200	4140	WerFault.exe	137
1348	4804	WerFault.exe	193
4564	4140	WerFault.exe	137
5008	4804	WerFault.exe	193

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
4804	explorer.exe
4804	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4140	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	4536	explorer.exe
Token: SeRestorePrivilege	4536	explorer.exe
Token: SeBackupPrivilege	4140	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Token: SeRestorePrivilege	4140	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Token: SeDebugPrivilege	4140	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Token: SeDebugPrivilege	4140	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
Token: SeBackupPrivilege	2408	explorer.exe
Token: SeRestorePrivilege	2408	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56
PID 4780 wrote to memory of 3488	4780	74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
  "C:\Users\Admin\AppData\Local\Temp\74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 280
    3⤵
    - Program crash
    PID:512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 296
    3⤵
    - Program crash
    PID:4268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 484
    3⤵
    - Program crash
    PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 492
    3⤵
    - Program crash
    PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 504
    3⤵
    - Program crash
    PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 344
    3⤵
    - Program crash
    PID:1196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 520
    3⤵
    - Program crash
    PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 528
    3⤵
    - Program crash
    PID:3116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 572
    3⤵
    - Program crash
    PID:5100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 480
    3⤵
    - Program crash
    PID:1604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 588
    3⤵
    - Program crash
    PID:1484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 596
    3⤵
    - Program crash
    PID:5052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 528
    3⤵
    - Program crash
    PID:3100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 520
    3⤵
    - Program crash
    PID:3464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 588
    3⤵
    - Program crash
    PID:2388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 516
    3⤵
    - Program crash
    PID:2444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 576
    3⤵
    - Program crash
    PID:4920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 552
    3⤵
    - Program crash
    PID:4524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 560
    3⤵
    - Program crash
    PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 556
    3⤵
    - Program crash
    PID:4232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 496
    3⤵
    - Program crash
    PID:4956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 532
    3⤵
    - Program crash
    PID:1200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 504
    3⤵
    - Program crash
    PID:392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 500
    3⤵
    - Program crash
    PID:1912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 496
    3⤵
    - Program crash
    PID:1724
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
  - - C:\Windows\install\explorer.exe
      "C:\Windows\install\explorer.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 276
        5⤵
        Program crash
        
        PID:3244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 388
        5⤵
        Program crash
        
        PID:3052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 408
        5⤵
        Program crash
        
        PID:760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 500
        5⤵
        Program crash
        
        PID:1436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 524
        5⤵
        Program crash
        
        PID:1348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 388
        5⤵
        Program crash
        
        PID:5008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 480
        5⤵
        
        PID:2556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 500
        5⤵
        
        PID:4500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 504
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 388
        5⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 488
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 496
        5⤵
        
        PID:732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 504
        5⤵
        
        PID:1500
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 480
        5⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 408
        5⤵
        
        PID:4720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 404
        5⤵
        
        PID:4452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 516
        5⤵
        
        PID:4488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 532
        5⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 520
        5⤵
        
        PID:2648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 528
        5⤵
        
        PID:636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 532
        5⤵
        
        PID:5096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 496
        5⤵
        
        PID:5024
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 412
        5⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 408
        5⤵
        
        PID:3756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 536
        5⤵
        
        PID:4060
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4400
    - - C:\Windows\install\explorer.exe
        
        "C:\Windows\install\explorer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 244
        6⤵
        
        PID:3140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 260
        6⤵
        
        PID:1636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 212
        6⤵
        
        PID:3544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 288
        6⤵
        
        PID:4152
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 296
        6⤵
        
        PID:4588
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 248
        6⤵
        
        PID:3100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 304
        6⤵
        
        PID:3964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 300
        6⤵
        
        PID:3516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 340
        6⤵
        
        PID:3748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 296
        6⤵
        
        PID:2020
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 304
        6⤵
        
        PID:3716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 344
        6⤵
        
        PID:4548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 352
        6⤵
        
        PID:2936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 340
        6⤵
        
        PID:2280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 360
        6⤵
        
        PID:2344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 324
        6⤵
        
        PID:1320
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 332
        6⤵
        
        PID:392
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 364
        6⤵
        
        PID:3244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 372
        6⤵
        
        PID:1412
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 356
        6⤵
        
        PID:1364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 376
        6⤵
        
        PID:2412
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 436
        6⤵
        
        PID:3464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 444
        6⤵
        
        PID:1328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 340
        6⤵
        
        PID:3472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 448
        6⤵
        
        PID:512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 436
        6⤵
        
        PID:1464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 464
        6⤵
        
        PID:2880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 480
        6⤵
        
        PID:4128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 488
        6⤵
        
        PID:3412
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 516
        6⤵
        
        PID:1648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 476
        6⤵
        
        PID:4832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 484
        6⤵
        
        PID:3292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 512
        6⤵
        
        PID:5048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 472
        6⤵
        
        PID:4528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 504
        6⤵
        
        PID:456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 536
        6⤵
        
        PID:1240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 508
        6⤵
        
        PID:4332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 472
        6⤵
        
        PID:3244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 484
        6⤵
        
        PID:2368
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 540
        6⤵
        
        PID:324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 508
        6⤵
        
        PID:736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 524
        6⤵
        
        PID:1328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 532
        6⤵
        
        PID:4332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 540
        6⤵
        
        PID:1892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 472
        6⤵
        
        PID:4528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 484
        6⤵
        
        PID:736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 524
        6⤵
        
        PID:3592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 472
        6⤵
        
        PID:1788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 548
        6⤵
        
        PID:4300
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 472
        6⤵
        
        PID:1980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 540
        6⤵
        
        PID:3176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 504
        6⤵
        
        PID:3564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 516
        6⤵
        
        PID:1912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 500
        6⤵
        
        PID:4304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 548
        6⤵
        
        PID:4928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 528
        6⤵
        
        PID:4548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 544
        6⤵
        
        PID:5012
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 580
        6⤵
        
        PID:228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 752
        6⤵
        
        PID:368
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 752
        6⤵
        
        PID:2344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1020
        6⤵
        
        PID:3984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1064
        6⤵
        
        PID:2596
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 968
        6⤵
        
        PID:4996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 680
        6⤵
        
        PID:4928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 524
        6⤵
        
        PID:2280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 964
        6⤵
        
        PID:2784
  - - C:\Windows\install\explorer.exe
      "C:\Windows\install\explorer.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:3932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 244
        5⤵
        
        PID:4380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 292
        5⤵
        
        PID:1264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 300
        5⤵
        
        PID:3572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 464
        5⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 472
        5⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 480
        5⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 484
        5⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 452
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 472
        5⤵
        
        PID:4780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 444
        5⤵
        
        PID:3412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 288
        5⤵
        
        PID:5012
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 488
        5⤵
        
        PID:1264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 296
        5⤵
        
        PID:3228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 464
        5⤵
        
        PID:3156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 508
        5⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 492
        5⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 504
        5⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 452
        5⤵
        
        PID:32
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 512
        5⤵
        
        PID:3984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 480
        5⤵
        
        PID:392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 444
        5⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 524
        5⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 532
        5⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 540
        5⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 552
        5⤵
        
        PID:3148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 732
        5⤵
        
        PID:5004
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4448
- - C:\Users\Admin\AppData\Local\Temp\74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe
    "C:\Users\Admin\AppData\Local\Temp\74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 244
      4⤵
      Program crash
      PID:2988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 292
      4⤵
      Program crash
      PID:1612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 300
      4⤵
      Program crash
      PID:3544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 308
      4⤵
      Program crash
      PID:4348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 304
      4⤵
      Program crash
      PID:1924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 260
      4⤵
      Program crash
      PID:1736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 288
      4⤵
      Program crash
      PID:1608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 200
      4⤵
      Program crash
      PID:1256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 244
      4⤵
      Program crash
      PID:2528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 260
      4⤵
      Program crash
      PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 284
      4⤵
      Program crash
      PID:4324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 264
      4⤵
      Program crash
      PID:1848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 256
      4⤵
      Program crash
      PID:3508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 328
      4⤵
      Program crash
      PID:2192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 336
      4⤵
      Program crash
      PID:448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 316
      4⤵
      Program crash
      PID:2364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 244
      4⤵
      Program crash
      PID:1648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 336
      4⤵
      Program crash
      PID:5008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 344
      4⤵
      Program crash
      PID:3964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 352
      4⤵
      Program crash
      PID:5020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 244
      4⤵
      Program crash
      PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 368
      4⤵
      Program crash
      PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 376
      4⤵
      Program crash
      PID:708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 384
      4⤵
      Program crash
      PID:952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 368
      4⤵
      Program crash
      PID:1644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 500
      4⤵
      Program crash
      PID:4484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 508
      4⤵
      Program crash
      PID:4496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 340
      4⤵
      Program crash
      PID:3780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 244
      4⤵
      Program crash
      PID:2068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 348
      4⤵
      Program crash
      PID:1536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 524
      4⤵
      Program crash
      PID:3592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 336
      4⤵
      Program crash
      PID:1200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 384
      4⤵
      Program crash
      PID:4564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 520
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 504
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 348
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 372
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 336
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 552
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 500
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 524
      4⤵
      PID:4232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 600
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 372
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 584
      4⤵
      PID:4404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 596
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 604
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 512
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 372
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 596
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 500
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 596
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 608
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 604
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 624
      4⤵
      PID:4268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 644
      4⤵
      PID:3648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 652
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 632
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 736
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 776
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 760
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 876
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 792
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1208
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1220
      4⤵
      PID:392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1048
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1280
      4⤵
      PID:3788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1288
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1120
      4⤵
      PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1260
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1260
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1220
      4⤵
      PID:4908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1268
      4⤵
      PID:4888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1368
      4⤵
      PID:3100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1376
      4⤵
      PID:2064
  - - C:\Windows\install\explorer.exe
      "C:\Windows\install\explorer.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious behavior: EnumeratesProcesses
      PID:2988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 240
        5⤵
        
        PID:4840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 392
        5⤵
        
        PID:4780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 268
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 472
        5⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 492
        5⤵
        
        PID:3544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 276
        5⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 388
        5⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 396
        5⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 280
        5⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 392
        5⤵
        
        PID:4452
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 500
        5⤵
        
        PID:3216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 276
        5⤵
        
        PID:1512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 268
        5⤵
        
        PID:1608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 488
        5⤵
        
        PID:368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 272
        5⤵
        
        PID:4888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 276
        5⤵
        
        PID:456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 260
        5⤵
        
        PID:3592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 400
        5⤵
        
        PID:3268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 468
        5⤵
        
        PID:3692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 488
        5⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 500
        5⤵
        
        PID:4780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 396
        5⤵
        
        PID:3144
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 496
        5⤵
        
        PID:4928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 276
        5⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 268
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1108
      4⤵
      PID:3244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1324
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1416
      4⤵
      PID:2400
- - C:\Windows\install\explorer.exe
    "C:\Windows\install\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:4232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 240
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 376
      4⤵
      PID:512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 448
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 456
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 380
      4⤵
      PID:3176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 376
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 468
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 472
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 372
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 476
      4⤵
      PID:736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 460
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 464
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 444
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 380
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 372
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 384
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 452
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 388
      4⤵
      PID:4568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 532
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 624
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 652
      4⤵
      PID:3852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 756
      4⤵
      PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4780 -ip 4780
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4780 -ip 4780
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4780 -ip 4780
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4780 -ip 4780
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4780 -ip 4780
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4780 -ip 4780
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4780 -ip 4780
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4780 -ip 4780
1⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4780 -ip 4780
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4780 -ip 4780
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4780 -ip 4780
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4780 -ip 4780
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4780 -ip 4780
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4780 -ip 4780
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4780 -ip 4780
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4780 -ip 4780
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4780 -ip 4780
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4780 -ip 4780
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4780 -ip 4780
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4780 -ip 4780
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4780 -ip 4780
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4780 -ip 4780
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4780 -ip 4780
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4780 -ip 4780
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4780 -ip 4780
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4140 -ip 4140
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4140 -ip 4140
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4140 -ip 4140
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4140 -ip 4140
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4140 -ip 4140
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4140 -ip 4140
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4140 -ip 4140
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4140 -ip 4140
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4140 -ip 4140
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4140 -ip 4140
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4140 -ip 4140
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4140 -ip 4140
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4140 -ip 4140
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4140 -ip 4140
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4140 -ip 4140
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4140 -ip 4140
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4140 -ip 4140
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4140 -ip 4140
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4140 -ip 4140
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4140 -ip 4140
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4140 -ip 4140
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4140 -ip 4140
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4140 -ip 4140
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4140 -ip 4140
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4140 -ip 4140
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4140 -ip 4140
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4140 -ip 4140
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4804 -ip 4804
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4140 -ip 4140
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4140 -ip 4140
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4804 -ip 4804
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4140 -ip 4140
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4804 -ip 4804
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4140 -ip 4140
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4804 -ip 4804
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4140 -ip 4140
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4804 -ip 4804
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4140 -ip 4140
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4804 -ip 4804
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4140 -ip 4140
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4804 -ip 4804
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4140 -ip 4140
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4804 -ip 4804
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4140 -ip 4140
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4804 -ip 4804
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4140 -ip 4140
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4804 -ip 4804
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4140 -ip 4140
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4804 -ip 4804
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4140 -ip 4140
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4804 -ip 4804
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4140 -ip 4140
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4804 -ip 4804
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4140 -ip 4140
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4804 -ip 4804
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4140 -ip 4140
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4804 -ip 4804
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4140 -ip 4140
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4804 -ip 4804
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4140 -ip 4140
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4804 -ip 4804
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4140 -ip 4140
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4804 -ip 4804
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4140 -ip 4140
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4804 -ip 4804
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4140 -ip 4140
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4804 -ip 4804
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4140 -ip 4140
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4804 -ip 4804
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4140 -ip 4140
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4804 -ip 4804
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4140 -ip 4140
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4804 -ip 4804
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4140 -ip 4140
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4804 -ip 4804
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4140 -ip 4140
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3932 -ip 3932
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4804 -ip 4804
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4140 -ip 4140
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4140 -ip 4140
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4140 -ip 4140
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3932 -ip 3932
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4140 -ip 4140
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3932 -ip 3932
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4140 -ip 4140
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3932 -ip 3932
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4232 -ip 4232
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4140 -ip 4140
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3932 -ip 3932
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4140 -ip 4140
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3932 -ip 3932
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4232 -ip 4232
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4140 -ip 4140
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3932 -ip 3932
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4232 -ip 4232
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3932 -ip 3932
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4140 -ip 4140
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4232 -ip 4232
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2408 -ip 2408
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3932 -ip 3932
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4232 -ip 4232
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2408 -ip 2408
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3932 -ip 3932
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4140 -ip 4140
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4232 -ip 4232
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2408 -ip 2408
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3932 -ip 3932
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2408 -ip 2408
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4232 -ip 4232
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4140 -ip 4140
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3932 -ip 3932
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2408 -ip 2408
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4232 -ip 4232
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3932 -ip 3932
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2408 -ip 2408
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4140 -ip 4140
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3932 -ip 3932
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4232 -ip 4232
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2408 -ip 2408
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3932 -ip 3932
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4232 -ip 4232
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4140 -ip 4140
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2408 -ip 2408
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4232 -ip 4232
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3932 -ip 3932
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4232 -ip 4232
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3932 -ip 3932
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2408 -ip 2408
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4140 -ip 4140
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4232 -ip 4232
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3932 -ip 3932
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2408 -ip 2408
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4232 -ip 4232
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3932 -ip 3932
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2408 -ip 2408
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4140 -ip 4140
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3932 -ip 3932
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4232 -ip 4232
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2408 -ip 2408
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3932 -ip 3932
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2408 -ip 2408
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4140 -ip 4140
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4232 -ip 4232
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3932 -ip 3932
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2408 -ip 2408
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4232 -ip 4232
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3932 -ip 3932
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4232 -ip 4232
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2408 -ip 2408
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4140 -ip 4140
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3932 -ip 3932
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2408 -ip 2408
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4232 -ip 4232
1⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3932 -ip 3932
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2408 -ip 2408
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4232 -ip 4232
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4140 -ip 4140
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2408 -ip 2408
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4232 -ip 4232
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3932 -ip 3932
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4232 -ip 4232
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2408 -ip 2408
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4140 -ip 4140
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2408 -ip 2408
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4140 -ip 4140
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2408 -ip 2408
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2408 -ip 2408
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4140 -ip 4140
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2408 -ip 2408
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4140 -ip 4140
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2408 -ip 2408
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2408 -ip 2408
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2988 -ip 2988
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4140 -ip 4140
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2408 -ip 2408
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4140 -ip 4140
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2408 -ip 2408
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2988 -ip 2988
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2408 -ip 2408
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2988 -ip 2988
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2408 -ip 2408
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2988 -ip 2988
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2408 -ip 2408
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2988 -ip 2988
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2408 -ip 2408
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2988 -ip 2988
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2408 -ip 2408
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2988 -ip 2988
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2408 -ip 2408
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2988 -ip 2988
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2408 -ip 2408
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2988 -ip 2988
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2988 -ip 2988
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2408 -ip 2408
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2988 -ip 2988
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2408 -ip 2408
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2988 -ip 2988
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2408 -ip 2408
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2988 -ip 2988
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2408 -ip 2408
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2988 -ip 2988
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2408 -ip 2408
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2988 -ip 2988
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2408 -ip 2408
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2988 -ip 2988
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2408 -ip 2408
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2988 -ip 2988
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2988 -ip 2988
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2408 -ip 2408
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2988 -ip 2988
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2408 -ip 2408
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2988 -ip 2988
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2408 -ip 2408
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2988 -ip 2988
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2988 -ip 2988
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2408 -ip 2408
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2988 -ip 2988
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2408 -ip 2408
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2988 -ip 2988
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2408 -ip 2408
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2988 -ip 2988
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2408 -ip 2408
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2408 -ip 2408
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2408 -ip 2408
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2408 -ip 2408
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2408 -ip 2408
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2408 -ip 2408
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2408 -ip 2408
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2408 -ip 2408
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2408 -ip 2408
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2408 -ip 2408
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2408 -ip 2408
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2408 -ip 2408
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2408 -ip 2408
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2408 -ip 2408
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2408 -ip 2408
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2408 -ip 2408
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4140 -ip 4140
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2408 -ip 2408
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
d967ef56473a61c57267033d8236cc8e

SHA1
d52ecd13b9be765cf1edaf72ff45067912781b11

SHA256
d738dbde1e52b82e11eb58b4f1e0478a2f91f08b56959120b7bfd55b9c26fdf6

SHA512
8cf8e4bbd57edb4c76b59d04265e855c67fd2fd335e7dc4084c4247867e743e120f078054aebb9ab938796e85a016dcd097b891141cf23ee4cad70ff13d6c451

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
99087a43f7a15c55c0a23814690253c7

SHA1
4003e0e73ee8a579a2cf86bcb8d96e445ebf1c65

SHA256
f5c3c2d00bd4ec441eb25393ec0773a4b69202cc0066d639d6f1432f416ad858

SHA512
3007bcfe0dda7e41c8f2cfdb27d542f1c79dfd28d8db84de6f9d97c50594653a0e3d57717520acc076e1dadc992cee0773ac858e8580ce5023d3380c988d0c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e57e36287b16b1f5393ea5a0a0aa7fd4

SHA1
5e816f3c30dc34796f748b11d5a83b8641938406

SHA256
739b8d6272617ce0953e85cbf341952e3f81a2950bfb87883a0ca1da368a76b3

SHA512
faa4ea8546fb2b8bfc333dee3068aa03b2290133f9345e77cb6372a7e43f19f9107e613abf7979cb3d6e9e6c0217c879c936eb66fb4cc00cbe8695bfe52547d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
515fa254919f1700315d3dac12352587

SHA1
f5f33f2b2b5e620b5e06da43a3e5b2bc5d4a56e1

SHA256
89596dcdf39925b86d88657ed2021b7246fa196142334d4de35a78bfdeb35a6e

SHA512
fa9d1261255f72e0d2e418e2eab4da8f63194e78fbda87eedec301d2892ff917f1164a31ad5460626804a9c0124b3a7705a6fe0edc040374dd0d6a77465e42c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b28335e203410adbd09cb62244250636

SHA1
5008d3c187b08ff0fecb4af6a66c3401893802f3

SHA256
3199e89b294d83859b4a7953ac4d25286193338ac13d2a3e7aa7813a9cc72ad5

SHA512
7264e7fc6a9c104c949eb4c41c456fe7c52c32813bbcb84a97ffdd9dab78e31693ec22451a2b1a891aeaf0ab30f0627b9c663dbd042e6ddb1071650322b4ebb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
037bff38f05caa66211787535d45fe7c

SHA1
18849fb07c4baaca23a91c834ee8606254213ff2

SHA256
e550c4f6d9de3220be38496f369117c029c638093133f3b426f88dff26b62ef3

SHA512
3d4a0684617d4aead1f4b90777d7b9ae292cf9d92442c025ad20bfa39f386a0d460bf26fa4378cfe8215251eb54e16c48115bc170bb78e5f78c7278a237f03cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
95ba8df04c3a6e8a54d7b634f223ee7e

SHA1
3bf716e2e7882aa6bcf7c83bea7de952176665cb

SHA256
51af757853186edbeba0b0be9a90fcc4154b6dd5fbf64d3d19d5f172a3872e10

SHA512
09d5787a1f4453be832f05b6a8e24f4c03fc8049e9b2df60e725d22208e937876be898e17fce8c4ab2edbc7cfbbda9049ca56009fb529996f9f6c0836e0faeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
38f90de96d652649e4fe8bc6e30b3357

SHA1
a6505d821e5c7cb28711fd52c8b66a991af9070f

SHA256
5132fb0041068ff3ff24f2e4811801082c7cd65f03d0efc56fe83c9dd4724574

SHA512
48ecda816f086f3b1c265d838c24be8aa2c4aabe103dbbebf3508138e911cff95cf2d98d24cbec2a6edb2a2fbeb4027c2d8f095783d98ea4b5d0ba7ac1e5e17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9d2b33617f4b950454967063d1b6fb49

SHA1
e97c6479c01dcae9531e937fc2500db9b98c527f

SHA256
3c163ff3ef2fa6ce5a4e0f6c8de431aca920ee43fef8c63e468aea5803ddf3eb

SHA512
4ce5d128d0e2581d3f609552d5320a37adf304cc8b95a42bc4748f86535256696cebfcfb6cdde5ddc73a25f6cad79969783d8fc8c76fbdabb66682144e8222fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1d1911e56cc17f99f13ffbe5a62db207

SHA1
d9178f62689b2038b59d2c2b8fe09ba920afed30

SHA256
3625aafbc40215565fd2a507280b042a02b26e8c08f744145001afadf4e8b27b

SHA512
b949b5c4afd6fd9bd92bab185678bc6a398af00ea287a0eb30513e00816db273aecc7ca07ef70970eb50d2604d3b009537c932ace059822a5f1bafe96a04297b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a991063d1a2438f3efb153262d084ac1

SHA1
2f9e9196d0f5c2c658ba7c78e807f86c1f0fa552

SHA256
515351b829ea1fddf5e1b1159036284d065197e1c79188d396ca6ceec8b93e9b

SHA512
e711efd6a3166e2acd45768a731b4771e41680bd84711c8e27eaceb45f110f98b13e4afd0996fb92d73442c09d96377a74027d701033a970e30f882fcac85857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5af262a2a5a07ce99c852e6bb447fcdf

SHA1
d91fa1a33780604bca2101a4d040a3a1a6406f26

SHA256
80d47a06199bbf703c1365d5b6f68fe6daf2b7cb3a81ba98b11326fbed6c6917

SHA512
0ce040dd229222ea89db1e65a327476367ec84bf2b1e7965217257ba4014ce1c802f1007d806e1f0cddd3b1e57dab9ea9f4fe095606d1bcb3bb83bbf943fb245

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5906d57cfa90a9146fb7df641053f3ac

SHA1
3f7f3a474ba7de744d60b8573fde38612a5d5fb3

SHA256
74fd002cb37cb5143332a3c2279e674ddad2dfce48d767282f21559f61380ec0

SHA512
671b0922492848794a6bd208d370892f189c5db12d3b2ff2d7ecee4c21208f0349e71ba2613c340bff3eb54e6fa33d506f577e0c5421ea23b98bc9946f434b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fd716ab659fdb7c409791ac49a0aaa71

SHA1
153ea74274941b222f74ef7d77e6157596146a25

SHA256
544d7cb2964417d7405eb397c3b52863cd609e0e606c0d3fcbfa279b7e7a1a96

SHA512
0f0c1bf35aa28e4010949865c6175ef9e24809aaa0089243cbca62b8ce05189cd2045c59902ad2e072c6cfd17d660cde80b2eae6263b8d5177d483d5bdffe376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8f0be5dc46ad6ffa90f485ecf69f349a

SHA1
2de705f1ec8c4a6a3df1d2d7992618b0665465e0

SHA256
898aa764fa53c6c5637168222aa8b115de94f5f83f0f55b9de6addf7e0153518

SHA512
9f00f4f5dafb3080c69ad2cbd56df5958c2e0653aec5be51daa895a6020e4fd7e79ba5bbed74852ff10892756a006164db0cb03c3b4c7cb7d90c0cd67930cf07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e4c7c3cbabe88dc84f3e9d71c853f7a7

SHA1
7abc74214c88d24775f93ed3c327ff3933bf293d

SHA256
4c1fb72a3364eab531bdba731551aa609ce24d32d745ed6ff9b42cd86d59b14f

SHA512
fc47784dbf78ac7a838adea770ace6230d1bd2759dd743522218bd31478a61452e2e4901a333b8ecc240f221a45fae2d06e79389c9048bda9404e14871c179c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ed13c130ecad3083b55c1527493d2771

SHA1
67296974ba7f36407b383f5af95da9cd432c75eb

SHA256
1fc53f5d73aeccac7396f1ae5244912665699c9ca4c411bd3699c48ef3e14773

SHA512
10bce986d758d14cb69571df50091a14de1d1a641d440d2fdcd14850c012d6a43efa723f92fd1da1527cf512dd96362bd5b69b4c45a3788f4a6ddbfa15d4913d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6a4fc1f291ba90e9f34c75328ec6c556

SHA1
62956cc5abd2abfa970fa717e847222eb59bb073

SHA256
5963e2a6a90f80cd7415130ef49c2fa40411ebacb54106d1be90d3bf0c56b9ef

SHA512
4f7f692a4c89d793a482873467a7679c8165e4b87ac65bd0c6e1cbe25b4e9aa00561f19b826d4fdc1412a221bbc8d279a2bbc7ec44b1ceccca0f1798408a1c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ddafb8558ef6de00edbd2559ff39eef1

SHA1
b5224bcfb3a0f7d8f8fff75229b3920fbbe2f478

SHA256
2f8d41a89a18ee3226bfa0e7a2dfccd48aa2cb8c47d5a4dad27ac217ca7731aa

SHA512
2b2da1635820d46369c31bdeed8f8386edacccef86d19434c36be088b9190af4e833671b46f7eb9180ffeffac816e11a9843778c538f285fee87d266cf1ea5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
007cde42db59c543679c3a2010b236f9

SHA1
149268cb00d792abba7ec1878acd924d77707a19

SHA256
7b252ed656e708505d79f952fb11fa21fe4a32399d82f0291532f70b692cf91a

SHA512
223cd9294c04370edfb40a9b0c4fd7f360be777db4bea75592d9a60dc4e27659fb408e50a0705afb735605983b846e3c439a30ebbb0b5b79232793426366a9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7fe992cc00c4aa0999c512639f879c28

SHA1
63ca0aed7f475680ce5b58e77e734d13ab30f119

SHA256
61e2685145ade4919f51fb792a99ce118f43c98b4deea2a057cb8bbf27839096

SHA512
78341a3156715142f88f99e11e27ea7c86b80e8706cedadf716a9546b7ec31bb8efc17120ba7fd26a5f0b0a19226f6c74c9932f9b6561b3564888c568da75428

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
220ca5351ac474ca01945d78b808bc9c

SHA1
b71f321fafa3f231021a73736482c0d00ff0157d

SHA256
8482c9c702a094e20b8e31071676c2d4656071041c2ed465857db03797f4201a

SHA512
8317d9eb819782e1f2753a138fd34ad1fde4ed6447fd73c9e120119e2cf8241d6270963ee97913276b98d19bea86e05cd54ebfd13b06d3bca1b505c6824e9f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
81bc12f0c2da9d332f476f391f6f52a0

SHA1
0336d72f391523740d993ea9a44354ecce1fb932

SHA256
d55bf1e3abf8c53fe4c1d402dcef34b057ffeb43070f801a2be287495f44df32

SHA512
ed264bb122e4e088240cd2a25b11fcadd894c33a8a0d49fe86068ad306f40faafa186f9718255e72dee748dd4b982c3998300e1ddb44326065b3c6792a1811f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
62e9c4ca8e975afb6ee3fddf66b85828

SHA1
f4f0ba0f70f2d66fd12611b755e46cc1eb7ba40b

SHA256
6e675024e0366e6c0c9be35d94055f9681820fb46e33adb68fcdc637eadd322e

SHA512
aad2882ebbe88d721ed52c2d64c1e03aaade0a4b1fbce3cba8857939e5e0f1daff79b81aab79288fe5cefeca6376d7434ed56a1bbaaf0a91fd7932471f84ae81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
13f1a2b5922d068e90d13a5d082b7170

SHA1
b74139a24d1acafc7e13357a558683a2cbdb4c5e

SHA256
14f9612e905589efa83e1b0a8234a347684466af93835c5ead2b99d51a3055f2

SHA512
4ee7859eca2a537d23ef6cbd0b72b8ac4dbbc7ce1d829658e6fc3876647e02660850157cd60a10e3ded5e7b038149fd560225679c81977266c1d5c5c9d21045d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6abb3646a441ab21e515b7dde1e14083

SHA1
5097d131c476f36a5fd587beb8a00e9a89a90e91

SHA256
6bb0fcc55634f68113b4db61eb49e2de20a0e67e50b12042fe0046e27271edac

SHA512
14770a6673ab280206d28518a49837ac0fdaff152d998fbe60547d0225dd044041bfc8274798f70cff8251f3bd47392b3896ff75b649e01dcc35601d8ce0fed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
741c1781dcf8d5c4f90c3490ddff9d4a

SHA1
61bfb52c21ecc5890d729522b78cfdfad6e5a8b1

SHA256
c8725d3d876b01cbeb4eb4e68d03e8139b5515d1227a16b149a68d28ae9cf244

SHA512
d86c71e32efb527079c27ebc577c533e78686eb4703913ffdd64f49b3e0ee44ea7ee569144a71674b72d9fd745c7a217deba66afbd7da03a28dfe293106cfdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
375e38d97fd890499a87b0b3b18f6d69

SHA1
fa96ccae3640b421958dc21174bd068bc689a832

SHA256
8aa503fb1f46ce9ce96deaa9d3c26b7cac6593e1b77b260e490e0005f47ca2ea

SHA512
29e43f9ecdd25c9c401abc56cf7c72a85aefce10957e2b7dc3187f8df378f4f8ac63991674d979da01ec7afcf12df390121c12591a8f0a3973be7527a7ecb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ab5294220409e2fba69aa7a0f99d7d90

SHA1
7540a48af21f464cdeeeabcc9a11b3037ddacf06

SHA256
fd6784b8e26aaff662af31d4707588261b1d998ce2d0f21c66804bcf52cdd0e1

SHA512
f3b8b29620bf073e2243a7cc111dbb9bed016f17fade1a582b45dabf353f0f24ad13602225833b7a5a3107c1598c59b6a4132ea948368a60f39d0eaf83254d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6bb29da2a4f6e0a040d20c89930e7be2

SHA1
566dd7a4638cf5bb6f9045cc73753ec638235c4e

SHA256
c36f6464376da9838511ca3b9c5cd05241baac88e78d155afbff4cd1a6262d59

SHA512
392746932d803132f38ac6236259df881a8f75e6c77e3571569bcbcd583092ce3cbb1e701824b7a10521dba437884752a8d54c66a1fa85df59a63bf3b467f553

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b2bf5d412dd2fd304386a3537a74c4df

SHA1
14b81ba80deb8bc89e8c1226c7b0bed06647dda4

SHA256
ff774e30b51ef95b2cb864cb7f1a9283c6b1bdfecc813d6bfc3aca9b5053d7f1

SHA512
f854cee29ce1fe0c892ec28362bcea27c71c877952fcf17216e5505e8c09a997fa0539b5f5af9d9c00200c93571cdd96ec9e520cae7ab2439656e7cc5a47305c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b72868077db7290a35a00121125ec94a

SHA1
87579e511b16086f981331c37c20f0686603521d

SHA256
178b28b135bed5a6b9d077f0fc57e73ff7999d0c45b3809240aab08acc01bcd7

SHA512
46431c870c39ee5e42ee7a4fb98a032f63943a86db8a491feb9b47d6fecfc24db24a7d4542fc0850fd89cd144925f35aba964b7f69b5244976e3e8aa9f4acf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b5c2111ef5392cefab291191c5a271fe

SHA1
07ce177d6c8693920f03c1efaeb20f51c4c0a6e8

SHA256
390a7ae3f269ebe164d8b777a7094051573294df570314a1db2e7da4c71f3691

SHA512
60a70f98e290143c4cfbe918d9e818f3000efce17cf5d60f1321a923d03d9fac18112095376f98a97156c468c33a65d5e84da8cc24e00b22d6117924ee935ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bb323cfcefc871e63d3047f3f53f1290

SHA1
4098c3a9af6191d013b4efb9b36d083c35a92374

SHA256
f123ca6a516a286f666f708469924e18ef2672aee6474cadc0f587aafb693f47

SHA512
d9c97f12a2c803c788910cd18f78a813fafdf212554450006aedad781c701a52f20c02be082089b6d756623d5cae2cd56c2f89ec78ac5b2ef7eb44bd6647da95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2908c6afaca3ddd0df908840e9a9d4e1

SHA1
9ec1cf04d1c9e0dbaed9ed4f0b96131f886f45f2

SHA256
f159e4256a4871a823c607a0c28ea79234fdf8216a00b202d6b8a7e3bd02675f

SHA512
868b70ab8bb6e2fd0857dac1dcf8bc5bf86f47f81a0400b9c51e69e1c5575aa9c41bb15a313608f185abfefdb184760d5215107464e1e7a2cb1210a7f893b44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
287ad53ee46713928b1dc3cac247e290

SHA1
3aca916f119f657a487d634e59ef5bf309eaffe7

SHA256
cf0b4000188a958cc2b12f6f839c94e699d1756322056101c7f17d27910a4305

SHA512
93182faeadad7fbf43d31b447b50ab6e93c5d00624c1aaeafa389be7cfb9d0795861666b18b329df71a427632d3a3f46b9bb70c1dbae6b206dd17d90b45f9bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7010255d6f3c15c5c7f1272643a7b568

SHA1
7799fc6075505913e61ed9db0393543e65ab011e

SHA256
053c2273df37c6d96c16199155a78b03298e575bcc544809efa4067967ae2a7c

SHA512
92fc502798657fd755cc323042d3635f94779f74cf1461478e6800dac3149bf59691530cfb9716e206b1028cce9f51d5b24dc109d09d36578be14ea001362997

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
29b3994a8f90b6ce851a79f23e0241e6

SHA1
c2cc5bdddee09e89afae86016c9bbeb547dcb2d1

SHA256
0bbdbda7ce1a2c49a42a221e609da6f41c71ef80f9d808221f6c5d3559aa36a7

SHA512
9e34de26cf0b2d8678b090092a483470524ffdeefc5257ce103512036797f60848aecd1ffa23b675db63e301a4caedefa431d928de58ddba0d55a2eb11d33af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
322378f18cd1cc56d8fb2bf62ee98298

SHA1
89f16e27564e281701f7ea9307785bf092ca2c9f

SHA256
ac87ba51103d251bd055970662e68782da5d173a4631cf84cc4cc436d2eac9f9

SHA512
6824f70c4338aec3ab4468eb65363b4814762ea934390bd96b53a895de85f277e3401612bad04735ca9a14d6f607f37758557525c52b0d13c0ca4a13974af5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
eaf2c50348a7288997f3467de8fa8dfe

SHA1
b43af3e36372bf36242845779559960cf0bc493f

SHA256
4e061107f2d2557546e3b3073d9bb7c8bca91db7d0950f12474182eb89b128a4

SHA512
f753e6ab21ea3cb01e14463ee4449037984491bdee330ff8ded318bdf052c523da68a175eee4b0298707ae94016bc9506a0cc3e77bf1ed99b5fe69765a6d33f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
68210f06fc86c8c729a18985bbc4dace

SHA1
ea969f370e62febcde9a15414fb6c449ad3177be

SHA256
d168e2ec44742c4437ea29a3704ea992d33fbe3b940a66e49e1244a188256ad8

SHA512
9c08f965b2cf91e6f65a26a696a531a65b0a15262c46b361b780c9d58fd384854cdde56e67aa9ec622a22f7827ca3456bf40e4297affcc7a84ecd0973d83eabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4936890e1fd0d837964c5a436afdfd9d

SHA1
0c262d8b1addc7f4be567bb9ca7c4574c8354de8

SHA256
2004b16f605208a642e482fc64a8349994e62719f1d3da1d6b2ee49e6faec526

SHA512
6af00877cada822ddd181c8d118848ca5b87492aeded93f6f050eb781175432c0d6f772b1ad8bdcf13d505d4763f907af83a3b3ad0c110f8ac76214b0bf5c0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5b408bc70e6f369b82e4fce828cfc562

SHA1
b4d85108fb8c8a60d1c158cbea2787d7dd5cd8d3

SHA256
3f7b3835e7978aacbfbdff52ecfff10fd389244abaf8ea80abb696d563c18992

SHA512
6f7848fff4e4df471618fb7f1b28c502c8521f6f18c50f8532eaaed020538b5322146c6e42bd1be3c94779211ef009a272f6409740689403e22550ffa2568e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2aa7fff8d8f5a1945e44b5c281d398f1

SHA1
2a198659d6427c0144db762adbfd8683615f3395

SHA256
f5ebb5e533589f9b3e7924fa604128d79ccbe71e90af35b9019e2a07e38fbc45

SHA512
0775b983f4d17842993c490961d3f9492b7fcffa9840e58373b711a6e2e9f3edb6d9c3a5a2f31865ab845ff8984d3a89a4a08572938657dd8eb549a92255e739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e5d4d709293750c4ba79f687ffae5e0c

SHA1
b6dcd296dda5c96622820fb50d27aade6cd01137

SHA256
b8a6828b4e5b119952c0d3c7767aa1f26e10c80623419ad8e0c702fc7e2b867c

SHA512
3deffe8f19c3ad85de14018e0e44f897d8e852628df6c1118088362beb54ee025fba98aeff266519d264209d757930b7b027f71627a41e452f63b51b08c5b100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c8ff584eac3d955c6cffb52d18b2a4eb

SHA1
c84e1864c843bf417bd8d3c3c0b7c4815db7eb39

SHA256
61a3692da619083f87d90a6fcebda48997234d9fff3aec75139600861799cbdc

SHA512
996266b7612b593e07e4a3374c9dc95f1ce5ef77e5e64419bbb0c496dd11f78ee4fba08acea165201164624c073ae2e457d926254b8ce0a989dea6cb78d7523f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4322bfd02cf29031388a98d5b969660b

SHA1
95a62cfcee0a5934cb1c84dc00165f1c5e74abca

SHA256
575f7e3c9a494b6dd68143512b5ab688a09c3f59e44029dd04a860070d05e0aa

SHA512
1e91f3935f0a47571a513e38910eb8cd0dda5f3e7e3c43cef7b5a46efda7b0e4672d8cf7320689181ca7e67270a8e6a0266de28aa3e205229be6f4dc55ce8ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3f5de2b4ffe3e5bcba82900d62d230fd

SHA1
3f57028e5d2250dc3d3dba83a0a2f36a88a04975

SHA256
b67243ae7c499d00162faa81c64a3d449ceab9f3d2e2e450cbf9d4e00ae22bfd

SHA512
eb01861c397ee026cc0f045225789761d9e61f9ea9d2e38d5c30b5f62c2315df8cf0aaa2fe2b08dd2a2848e46b0b104b67bf0f18bfd065750b3b0fefbdc38584

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
686d619d52891f94fb7e44d56080e352

SHA1
14138e045dd7ea3fa83a39541a0e78bda39f2cac

SHA256
068b24e9f14015dcaa895ba413e75d09bf676d745c40ceb0a072cf0ddf5604d5

SHA512
406e5dbcd3b0987cb53e2cd52c375d9d6b2f122992dda589d6414be533ae8e41b693450bd301016c9d10fd59b53d7ed41bf13f50b75b4df7ce3b9af26362c734

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4b9e76e826babbec8c283afe211a373c

SHA1
6226e917c3d9795d42152048d3353c1c32feee50

SHA256
15f691753b1a31b05c36f1925a6586516e8b1dfdeb2cf858765ded8bd66a871e

SHA512
ad59effaaf69e6103aa0dafb8410d26239a077ea1a707c58c58737a89a36e18ee1c7b55b5098dc7443ad51985e42daa9117d417c70bda3c521722b909a1402dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6d351bfdcf516d81b497a68c194b04df

SHA1
fa5e90273b95742e309f65a0b41a4239e319a5e2

SHA256
a21b15b22976b4d25f1b54b2d953de5e53b9604580d98a14d9384ba1949287c4

SHA512
c8d1ab26a1b42ccdcaa37773d187ed61c269139b94aa5b6c0811958eb7f08708f25ceed3825cb47e76ddbfa43184773867e2e89a52569ec5751c071a2e130461

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f663cc53634d4db54b041af02e9b7bf0

SHA1
fae4eb7bc5b3182f77a09905cb9b137e72f300b9

SHA256
1adde9bec37f243e961bb06db6b851109ff6a3ebd8cd8370150759960cc8caa2

SHA512
ffc277ba416293871cc3ba5f3a366624958dbf0e8a94a2f4374a765281413a12fb0b11381990981a6129a04de9576db97dae27864a195c8399f78fe531f6a7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
374d4f4a1ab37f93cd7c3912d84ac2a8

SHA1
4de6f6712ff95ffa24db85451f1c4539a7bf1b34

SHA256
64dd244a3566c6920a52c8d0cc518fae565d23b60dedfe023a45766d62d49199

SHA512
e4cb4004a3e1584f726e91b14d3faa059f330c38b197052c23a2a28d6ddaba623ded5a440e29b43d9631b89b6a5cb6a5080cef267049dae80f02afc66110b468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1b48a2b6cf4ba07cfecfdefbdf62b080

SHA1
929a6c635d895fa3c5bdb142b0931793b687a4e5

SHA256
8aa4fa4a48f576b2cfb274560f56578d4a23dbc05996e3a02044ef34c0bcc9f1

SHA512
1aeac47c67de796d8b0dca21b1aba24d6c9a9f7a8b56c65d4cbe2df9a7e885e667ce3d075370debd9bf6ad465f3c0ad274924cec21665b44395f071ba8333ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1f33c2a63865ad91f74dc9cf3b45c617

SHA1
ae2e751055e95486bde8b32ea81072484e512cff

SHA256
b8a9646ed5bec50963e817db3154eb6eaa10e411817c7514c3a026bea3b257a6

SHA512
4483658df49c98aa8cea14700f4af80b7c1973f48abbc9a14c96d8453061b9f1a76385e0a75f4d9d0d03e650c753d37ff33f84c874b7a4710949f8a01ecb8ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
70590cf0928eb81e6a768ee476e1981c

SHA1
925dfd3af3a1792d2efabd64e56fd9d17331890b

SHA256
9bd22806a9015bb0854f7f59a141a1956980a8a0469f3f44a40513202be1190e

SHA512
648c7f1f21fe0b97b2a01b7b011e1b7ffc763e8b6625521afd5ba517cc9d57bd405c055832afb88181365165e41bedbb7584c6007a9abd7f7e1782dc53acb44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ba0c54ad064b9510962d18a912b0fdf3

SHA1
95ecf7de94adda46c26556b55856e3608968b836

SHA256
a446e4f37f994f655b03381725f75a4e024750567a8f19fe71dd13cd109767df

SHA512
2f492c976f67529a1cd1b6db62aa6006834fb5663244e08582ed35d3d4390f6794f56f267c045c1366190e213f91e7042e603b1ea401a94647592f9d84aadcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e7ce71682dc0c83f8bce70881aca22f0

SHA1
3c6a0ff59ce4459943cfc50b9f90cc5976c3cad8

SHA256
2665c148757074e51f35182221deef376137fd1ea0f2b78a8cf9fe4af461dc64

SHA512
b4aee142bfaf195a93c468b3126d6b48c0cfd4488767f992067bc498a2a99a163e0e14a971af66e0c81bed48cfbd1e37263c2d783c91e014a5d1e98bb89b17cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d7af09536fb500272cf5f73163e7e412

SHA1
45b974f55434305c61571e59955d79cb9037aee7

SHA256
94d79bee9f2dd8ff5db78a5cf8001362ef50b61099e439b3b491f6af97d56e37

SHA512
3a63d7524323489e7a95565de324201519bd0ab1683c79cc2d38a4023d8012106320b682bd56f86e9ed132ec6fa862625f5136f27df043ba158b932d7a6ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8217c34bfd44f6de02c889c1088bba4b

SHA1
9b29142da249e1c9ec1c010227a941a7e115f469

SHA256
1652e1aa3a9f86ae25268d725738d8d25f0ddd77635315087d7ac6275dc69b75

SHA512
504d0058e3780526ef9cf74fb5876e67d17a36f89c5c771e005335649225320593264255adba56ef4dd021aa23a0c7b4792a05f3a2cec6f47121a9a5a97c0663

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
502ee9e516f1d1c026ba8ab66d9365d3

SHA1
ce5eac995596fb68b403b9f5fe49c199c81d3ad3

SHA256
5e2b5afc00e116caba8e3e0c3dd7fa84acfc212af2798a6dd19e67ce14df13f4

SHA512
45c36703b6a1909d06859a5fcb9b1d0d28dd770ff227c11049c0d10663d979f75b057b884b7c562927225974ec457ce2e7e314a9260a56b4785df8c3e9109952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
21112aab10a238fb91a6820789598088

SHA1
7e176a1b80ad72e5bda8b400f4f7bb15ee453d5f

SHA256
ed0d69765eb20171e663f60855430d4c4e1f8094d30feac9c951c7a250caaa11

SHA512
380fb39736336ec4b1a18af9fa388845b6d2f6af65718a9b2ce4dde6bab6228e261e8c11a0f51cf3dd3fa121f3a1cedc92f06163cc6bf97815fd4645010405e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8dff41d603af0af25924b8bc0e545448

SHA1
51f9d3956cd37353f75079e17c92a2acb1df9e71

SHA256
e8246f189573a597329fb18e112f21e86579c7a0a1b23d64b4dfc1c91f0c6dc2

SHA512
4409be0585be8af3e2aa225f83ea7855619db6cada22b1eb7a01c2059a61f30cbd842d9138ab2fb9aee924259f827842ad423d2263bb4c4ab60cb282ff7bc4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2e81d0a01db39496512505d88c74e948

SHA1
1a86351f57ef32e04b760a0509704a4afc961e9e

SHA256
24eb7afe9c203a2975a17871db825e8d7d7a4d683b99166e6c227a0256e2c2c1

SHA512
c8ba0de7abc07b3a45de2c14b91c5f737260d36d0e1869eacfec781610a1634d3ddddb6514287e6797a23ff5cc7d1a67bd69bb879ba8bc12f01370cc78ce2839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9e0cb93e338355de98752dbdabb7c3b4

SHA1
662d1e1bab64ddf2318b8d097341ae65e345c94a

SHA256
8c5923d379d531e999f507e6b6e7a01f6883e3b3c74cec7dbf6f13b90b3cb925

SHA512
602301b9144c87841fd4b16f41f7ac342eedcc70d5415c01db6becd05ea10f0a7a756e6f431b7b69f63922407abe66b9bb427005c2992e6e92542019fc8e4f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3243302eba83618dc68c726c12b519c2

SHA1
8c5f44c475271af3dcb5cf2371102387c3854ccc

SHA256
238336f017ac7e947495ca402ecf849007567d1882f20cde2bd0467c59e21df9

SHA512
1e0add36792d7e2b0db026d6c57367a21d13a2b5d7a4f9a5e3c45f003f3fb90908c24b79ed66972e8969614ef6570df60f47b375291aec168ddd657ce7edfc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c20b005b23e2ea60a568359c5b93bacd

SHA1
d8f2240b4441c8cbd5030e73b82a4de401857366

SHA256
0c3e762e4ebf1fd1927e7bcf1ec87559f57b8da2390abbfd97022a88516a60fe

SHA512
d7d151ac59ab26b86b9a5ee0564d56617f365d2872f594e2420b34d63dcb327a41ea500d645c0dc1f001e94d30e1002c4488ed14b1abb263baf2fc8a9e611e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fb4bf3c4bb5d307083b337b340fe9344

SHA1
ac8e978e34d18ec9005a2d47ee5c88108c816c3e

SHA256
f97c2c954a5c2f8c3971e2a8ffc3b5a537deafe272dc385a594a47dc32aaa59a

SHA512
013b29c7c1b22e53d15c5c221c70f4e1be06eacfe0f8344543839e2a1c1fcb905b14b58502445edfec03bd141c0f6ba765847a78f7ea8a8465b39d12f7cbd307

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1698178174b2e4e1316727a5d9eae5f2

SHA1
6ba12ca190d5ce46dde4d72157bcf231ef067356

SHA256
8f983e29e630e1fcf408bfbe585387c7351ca55428c332684d11ca561c9dff32

SHA512
401d625fac41ea388ba88cbafd238d3d9674c63870986f9d5549b9a1ec5003a1f1d729d3bf05dae31bfd66d9078ed710eb515b32b811f1bbcb34d91295a56d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4f4321de3cce0d832f5c61fbd081395c

SHA1
4034a3e64a65d5f886ffac32c51625c08af7607d

SHA256
314f7480f6383638dab196052fcde2598428b66ef9113cbc5451abc7a83dd728

SHA512
3304b78fba24f44feef859f8e1ec1ea26f80bc752c13f45632533f6d114cc078284ba0b1f58af2a6a64cf239a03a965ae01ebba7d268cb95b128a67f14b0cce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ba55078afed6594d16427898e4cb9a3a

SHA1
b5e911735cfdec265602df06d674e5e9d7e630f6

SHA256
0aa383b01268ee95301e430d72b97fb5053d4fecf44e45a6ee755aa1a1821e96

SHA512
cee8bee926410f1b14e5303da1a5eb91d01aad2e9efd295b5024637090c1081834b19996ab0d6269b2e729b1330af5eac6dad4605d755cb4bb38ee56d7d86867

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c403bef21ede71626943ceb75c934540

SHA1
d0395cc157d8a2074f7af95ba14046159f754e1e

SHA256
381e0288e27640d87e7841f3eb371a204f9963aefe5e8e4b4b06adb4a4d6a014

SHA512
558e6d8ab87112948a4bc028becfbdf1d452f4200322d810346906464bed356660068a354df97f7e944ee84dcf5d814c744e4a3c48c560dce53221eb885574f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d2399064b6da78ee3b893a3a7781762f

SHA1
cb6766ccb53ecd0d8827e5b53c6ad82add3accda

SHA256
51a3d4ab85aaee3b6e4262d7b5ddbe1fbe03e4ee367463dbaa00ec99fd7296d6

SHA512
bfe48974ea02e64862ac4540b6f2431256a488c3058c1df23203f27d715146939b9013f546d3d598d223dc1bc72db9981c274a5ab5438371ed998d027fd2b7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f42782dcbfe640177d4dc22c2228cdaa

SHA1
fd32496596c04ad3a571a3399e6be65835133dd0

SHA256
c3780257c22848a7a69831105c9fbd895f7a6f7b1eb930c57304b7db76640db8

SHA512
154b0e7afe958da182116f39e9bf5d811a1acdde0574682d62ae5471710468d12ce8ec6e6f09fa7241de658d0b45ecb5e6f5564e57e2f361a9de803c87b355d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
82e1029d2bf76544aa3a05f97a541dc7

SHA1
eaaacde66a43ab21fbff796b1acda0414cbd7962

SHA256
b9209ac91c096902b44388ad2e1ae754b31ea1a5c169dc2db8159f3fad0fa58f

SHA512
f33bb437a46ead633b3b04283c0bd8011dedb5f00aabaea7c8dcb56c082b6d10eba7636f7463a0bd7d6e04560595add2e920791685c6512feab99bf7acfb272e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6de5ac82f80f28912ea681aa2f97af72

SHA1
3adc0609d27ab502e442ef8f2fdd6e842b082a6a

SHA256
b81540516a7fcb26ef96536c6bb4fb57c627ecb6e03e9bab40dd907ab038b690

SHA512
d2c8a69fd474c6b3b0c4bb0ce4ac5a4236a51fd0cb634d41735069738838487ad935c98818c5d9514cbc7334b20034b47e533806d98c022ad6a5ea67d92929ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b3e34981cea65f781cd090cc65cba86f

SHA1
d1e636cd489d35a0fff8d0de4717a19d5a576b6a

SHA256
30bc7b06ede4c1e542691f33dbe1994535accd60d1c9209289a44d34b1cb9cbd

SHA512
aa6c7bed4b1eb561644ee24e43be15acae1b27f0ed3c7c983ed2dc01b44b8e22204f45da3c3f3ce1b7833a5020dbf6076ce6c734caf5e7bdc9934863cd06d307

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ebb42155496deaca2edabe2249936e70

SHA1
6b444765565a6edd55448fdf780a5181daf3b035

SHA256
4d6f86c1237cf9137363cf0ac36af1da1480d73542c0b350ac8278970dd97476

SHA512
05973608f76a98b7da3e8dab124e98271699f04ce9cd7afa55276f5ed9f4a7bbdbd7edef7d8bff14847d11641240f6835f83ff748a5b00679a87236d2adf0d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
09a6ff62be424caa6d830192fdbe9b13

SHA1
9a34782db3bf337fc2c0b1e20896924d91285912

SHA256
8014e22bfff5448604f421892a5529e4c64efc4aa3c1f84af312498f56aa893d

SHA512
074a8b9c7f27c05c78996a1ca73690818240bac49da98f5a74f682cbc4f08040dfeb0a2fadfc727bb5f927a993117973c1dca81ec6a6c5ad7ddd7337be7c078b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0730ef3d4d913c96f480ac95ab1648ec

SHA1
5ea4259766cb859bcfeb6572c71acb13899731b4

SHA256
c7a4a29a4470a7b09e8834acd45b6d4339535f1b9201530126a896b654701471

SHA512
801aef16b4126928a40f7c7ebef0b379fbb63c216069852eac4e699f4ff467089a179dd9222b3a7eaf948a00772132c2dd84b49196c1dc1356c4569388461a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5649fceadd091d5544969810a715b266

SHA1
809fe5778f34c4053f0ab8246771e90d6452171f

SHA256
5a1b784322d399529e190b7bc057337968d8a5e12dbbf3ba0ed9c992f8ee713a

SHA512
1d899049c316edc4fd00dd97022c341c32de7b6ec884531fa005368a2da958b7a3fe12d05714379fbc0a01d9c9630966c79affe0570e6fb0ee927ba3b3804255

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fb30421aae2bb675690af482012b8317

SHA1
6348754e993fbea2ae1ab518ab976dbecdc1593f

SHA256
39df21084838c442b3d549ec756da08fcb049082b7ea5ae69746e8cea2e07433

SHA512
1dde8c6ba80be8553b2331e8c9dff1d81d753668f8496504c0bb61a98d6d571d8a24474c95c3a115171f3d5cc3aa405344cc4549067d906150a88608e8ac9dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
658439dc7e72b27567b0a9d09265b7d9

SHA1
e7bc1b4aac2a3c2360ea1a39299759f7b106fef9

SHA256
ca2940580f23b6746a873bd8c32af317dc60fe5b9dfecfd4a48b0dc7eb8e2fca

SHA512
f064670364e5ae97994833c262de21dff5852f16bb107427135913d131fe58af777356ce8625e63be4b3dfd3ab3bf058a76f8d9ac0d686c18d7539518c8d13d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d466450ade91c897342893dd659d6911

SHA1
76f90ff08e052d69c5d68544243ff1767a964e84

SHA256
fb3af44c9a255328cb0841e38a839e893e93c070829e42c91ee9d1472c76c1de

SHA512
f943a3d48c9fbca1f17a308d5740689bd06d859cf4a89181a9ce823674a2a028d472925f9f2987a35c0e05e0db62eca33113c66475a5f9e84bb95638f5488325

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a03c797986f593df87fc5d2798455a11

SHA1
bf17cecf6c793b7cda4eccd5b74a0ffc8b9a98dd

SHA256
8b947d231ea499e8a71ca851e25496c27f673d1daa8268a0574c1ff77d74da3f

SHA512
2c964d1f23e8aa8b3cb1a4887d744b5bb0e91b37ce9c7a086e1e42ef3caef0a59898cc232fe92d7cc9910acdd937c0c5cde613ea9f2a9b85afbce2b2ffede52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fcf91b663515e26da2746889b89c727d

SHA1
303ccb62c7820e6f7ca04ccb27661dc0e32615a1

SHA256
db743b482143c2ff9ff79799b40f9e6000da09af7d5bc6d69233a3406caabb7d

SHA512
b1996d0bd329a2f24eae364fd37a8ed2709c6a0e6e1f84fe586ac44b269db77d1a682b3a8b8a45275cef2cda4b75959690660d635339482cd7d4b65b2795d9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bacee9729730daf5b22ca3b6850cd421

SHA1
dc92c1c020509253881669083bcd1613fa173332

SHA256
02c76603754f63e46d8aaf8bbd298d60e145c7a0d062f1f0c1ced6be00bc686b

SHA512
1a25f64aaeb0c382006d4d15c51c3dfc5100f15dd37fe661a21484e40765df1ad88c531d647c526cee593726b665faeccee6b860b32b7e825b042df4d4c6daf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin8

Filesize
8B

MD5
691a3ed9750220923af74deb80bf46fd

SHA1
dc577a9e3054321fd60de3979a68b6faa099cd5e

SHA256
be7c602558473c316918edd22ad66f25ce88a2f1ab907f4d11a13280fa577bfe

SHA512
a562cea2bd3ecc184b0f912f1399324170560e66ba7155d62037a3caf5d1e1c71ea1ea581c8ca28e310d9434042aa31b9d90bce72e635eef181085ddc0e16079

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\install\explorer.exe

Filesize
961KB

MD5
c67a1c0ea5ae95b146f7fcdb65824440

SHA1
2a2b6ca5b2572b829879b299017ae73119919b96

SHA256
74d7fde66545a72106ec98473bb329fb21514fc267ef5723ac195a0522422859

SHA512
a6eb0735668b8318667b6b5ab00cf603407a511c50534b3324a41f90375346c29907ceae42f507598a31bffcb94b8997a90125578467652fbc27e9462d33ef6d

Download Submit
memory/2988-262-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3932-198-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/3932-253-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4140-150-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4140-129-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4140-215-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4232-255-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4232-203-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4536-9-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4536-72-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4536-10-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4536-119-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4780-1-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/4780-26-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/4780-4-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4780-147-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/4780-148-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4780-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4780-17-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4780-67-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4780-8-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4804-173-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4804-251-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download