cybergate | f34b240073fc89bef5aa4271ba241cb2666f410e34de05cf2cceb3c3a17360a9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Size

504KB
MD5

0d55918c5ba95c84e0bfdd16f1d3577d
SHA1

32687fec574667239dbc93b290319409f9a0931b
SHA256

f34b240073fc89bef5aa4271ba241cb2666f410e34de05cf2cceb3c3a17360a9
SHA512

a75be6533056e2cb8c5692afa3dc2d6129e72118cccba531178a8bc8c1157a856009e254daf6eab98787daf9eeff02009adc38373b37c29ee005f1e5dd65a48e
SSDEEP

12288:lOjk0gatIW0KMS2872t0R6YBdzXUR7p9XICnngHJ:lEk0gaO42dt0RFzXUzdIegp

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

tit90.no-ip.biz:82

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe"	server.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart"	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe

Executes dropped EXE 7 IoCs

pid	Process
4488	server.exe
4428	server.exe
3052	server.exe
3660	server.exe
1452	server.exe
4704	server.exe
3108	server.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe"	server.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spynet\server.exe	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	server.exe
File created	C:\Windows\SysWOW64\spynet\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1296 set thread context of 944	1296	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	85
PID 4488 set thread context of 4428	4488	server.exe	152
PID 3660 set thread context of 1452	3660	server.exe	262
PID 4704 set thread context of 3108	4704	server.exe	348

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/944-0-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/944-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/944-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/944-4-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/944-8-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/944-12-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/944-27-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4172-74-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4172-152-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/944-177-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3840-179-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4428-236-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1452-239-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3108-247-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4428-268-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3840-272-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3216	1296	WerFault.exe	81
2592	1296	WerFault.exe	81
4928	3840	WerFault.exe	90
4220	3840	WerFault.exe	90
3672	3840	WerFault.exe	90
1924	3840	WerFault.exe	90
532	3840	WerFault.exe	90
5112	3840	WerFault.exe	90
3824	3840	WerFault.exe	90
4656	3840	WerFault.exe	90
2996	3840	WerFault.exe	90
3604	3840	WerFault.exe	90
968	3840	WerFault.exe	90
2300	3840	WerFault.exe	90
2696	3840	WerFault.exe	90
1044	3840	WerFault.exe	90
3572	3840	WerFault.exe	90
1396	3840	WerFault.exe	90
4424	3840	WerFault.exe	90
1788	3840	WerFault.exe	90
2724	3840	WerFault.exe	90
3436	3840	WerFault.exe	90
1772	3840	WerFault.exe	90
2856	3840	WerFault.exe	90
3140	3840	WerFault.exe	90
3348	3840	WerFault.exe	90
5068	3840	WerFault.exe	90
3948	3840	WerFault.exe	90
5080	3840	WerFault.exe	90
1164	3840	WerFault.exe	90
4352	4488	WerFault.exe	147
5116	3840	WerFault.exe	90
3388	4488	WerFault.exe	147
864	3840	WerFault.exe	90
1536	3840	WerFault.exe	90
3728	3840	WerFault.exe	90
1592	3840	WerFault.exe	90
2460	3840	WerFault.exe	90
3612	3840	WerFault.exe	90
2696	3840	WerFault.exe	90
2140	3840	WerFault.exe	90
3572	3840	WerFault.exe	90
4396	3840	WerFault.exe	90
1364	3840	WerFault.exe	90
3924	3840	WerFault.exe	90
5100	3840	WerFault.exe	90
2832	3840	WerFault.exe	90
4932	3052	WerFault.exe	184
3352	3840	WerFault.exe	90
1560	3052	WerFault.exe	184
3776	3840	WerFault.exe	90
2708	3052	WerFault.exe	184
3600	3840	WerFault.exe	90
2952	3052	WerFault.exe	184
496	3840	WerFault.exe	90
3536	3052	WerFault.exe	184
448	3840	WerFault.exe	90
1796	3052	WerFault.exe	184
1628	3840	WerFault.exe	90
3812	3052	WerFault.exe	184
2068	3840	WerFault.exe	90
2368	3052	WerFault.exe	184
1120	3840	WerFault.exe	90
740	3052	WerFault.exe	184

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
4428	server.exe
4428	server.exe
1452	server.exe
1452	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3840	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3840	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
Token: SeDebugPrivilege	3840	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 944	1296	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	85
PID 1296 wrote to memory of 944	1296	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	85
PID 1296 wrote to memory of 944	1296	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	85
PID 1296 wrote to memory of 944	1296	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	85
PID 1296 wrote to memory of 944	1296	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	85
PID 1296 wrote to memory of 944	1296	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	85
PID 1296 wrote to memory of 944	1296	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	85
PID 1296 wrote to memory of 944	1296	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	85
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56
PID 944 wrote to memory of 3440	944	JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 376
    3⤵
    - Program crash
    PID:3216
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4172
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 380
        6⤵
        Program crash
        
        PID:4352
      - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\SysWOW64\spynet\server.exe"
        6⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\SysWOW64\spynet\server.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 344
        8⤵
        Program crash
        
        PID:4932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 368
        8⤵
        Program crash
        
        PID:1560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 376
        8⤵
        Program crash
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 400
        8⤵
        Program crash
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 408
        8⤵
        Program crash
        
        PID:3536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 364
        8⤵
        Program crash
        
        PID:1796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 384
        8⤵
        Program crash
        
        PID:3812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 408
        8⤵
        Program crash
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 436
        8⤵
        Program crash
        
        PID:740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 368
        8⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 444
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 420
        8⤵
        
        PID:692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 428
        8⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 432
        8⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 364
        8⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 520
        8⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 528
        8⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 428
        8⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 536
        8⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 588
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 540
        8⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 552
        8⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 420
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 552
        8⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 452
        8⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 356
        8⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 444
        8⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 524
        8⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 384
        8⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 560
        8⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 568
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 524
        8⤵
        
        PID:496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 588
        8⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 576
        8⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 560
        8⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 540
        8⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 388
        8⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 536
        8⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 564
        8⤵
        
        PID:692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 576
        8⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 388
        8⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 340
        8⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 640
        8⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 648
        8⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 660
        8⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 572
        8⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 616
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 676
        8⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 696
        8⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 724
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 708
        8⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 684
        8⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 692
        8⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 740
        8⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 740
        8⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 700
        8⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 776
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 696
        8⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 616
        8⤵
        
        PID:420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 884
        8⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 968
        8⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 956
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 668
        8⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 796
        8⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 936
        8⤵
        
        PID:3528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 140
        6⤵
        Program crash
        
        PID:3388
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3660
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 344
        6⤵
        
        PID:5116
      - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\SysWOW64\spynet\server.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 140
        6⤵
        
        PID:1244
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d55918c5ba95c84e0bfdd16f1d3577d.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 344
        5⤵
        Program crash
        
        PID:4928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 364
        5⤵
        Program crash
        
        PID:4220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 400
        5⤵
        Program crash
        
        PID:3672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 420
        5⤵
        Program crash
        
        PID:1924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 428
        5⤵
        Program crash
        
        PID:532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 220
        5⤵
        Program crash
        
        PID:5112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 432
        5⤵
        Program crash
        
        PID:3824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 416
        5⤵
        Program crash
        
        PID:4656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 424
        5⤵
        Program crash
        
        PID:2996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 524
        5⤵
        Program crash
        
        PID:3604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 432
        5⤵
        Program crash
        
        PID:968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 500
        5⤵
        Program crash
        
        PID:2300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 528
        5⤵
        Program crash
        
        PID:2696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 536
        5⤵
        Program crash
        
        PID:1044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 432
        5⤵
        Program crash
        
        PID:3572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 424
        5⤵
        Program crash
        
        PID:1396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 552
        5⤵
        Program crash
        
        PID:4424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 540
        5⤵
        Program crash
        
        PID:1788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 664
        5⤵
        Program crash
        
        PID:2724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 704
        5⤵
        Program crash
        
        PID:3436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 712
        5⤵
        Program crash
        
        PID:1772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 720
        5⤵
        Program crash
        
        PID:2856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 728
        5⤵
        Program crash
        
        PID:3140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 672
        5⤵
        Program crash
        
        PID:3348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 760
        5⤵
        Program crash
        
        PID:5068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 784
        5⤵
        Program crash
        
        PID:3948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 772
        5⤵
        Program crash
        
        PID:5080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 820
        5⤵
        Program crash
        
        PID:1164
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 832
        5⤵
        Program crash
        
        PID:5116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 844
        5⤵
        Program crash
        
        PID:864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 824
        5⤵
        Program crash
        
        PID:1536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 820
        5⤵
        Program crash
        
        PID:3728
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 816
        5⤵
        Program crash
        
        PID:1592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 892
        5⤵
        Program crash
        
        PID:2460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 900
        5⤵
        Program crash
        
        PID:3612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 928
        5⤵
        Program crash
        
        PID:2696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 868
        5⤵
        Program crash
        
        PID:2140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 852
        5⤵
        Program crash
        
        PID:3572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 828
        5⤵
        Program crash
        
        PID:4396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 904
        5⤵
        Program crash
        
        PID:1364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 888
        5⤵
        Program crash
        
        PID:3924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 892
        5⤵
        Program crash
        
        PID:5100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 824
        5⤵
        Program crash
        
        PID:2832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 928
        5⤵
        Program crash
        
        PID:3352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 780
        5⤵
        Program crash
        
        PID:3776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 984
        5⤵
        Program crash
        
        PID:3600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 992
        5⤵
        Program crash
        
        PID:496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1020
        5⤵
        Program crash
        
        PID:448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 856
        5⤵
        Program crash
        
        PID:1628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 816
        5⤵
        Program crash
        
        PID:2068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 928
        5⤵
        Program crash
        
        PID:1120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1016
        5⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 948
        5⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 980
        5⤵
        
        PID:3636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 888
        5⤵
        
        PID:1296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 816
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 824
        5⤵
        
        PID:3108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 932
        5⤵
        
        PID:3844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 668
        5⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 528
        5⤵
        
        PID:4656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 356
        5⤵
        
        PID:3248
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 356
        5⤵
        
        PID:4840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1136
        5⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1156
        5⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1164
        5⤵
        
        PID:1464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1156
        5⤵
        
        PID:3328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1212
        5⤵
        
        PID:3348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1228
        5⤵
        
        PID:3564
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1228
        5⤵
        
        PID:5016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1228
        5⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1136
        5⤵
        
        PID:968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1140
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1136
        5⤵
        
        PID:220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1512
        5⤵
        
        PID:4396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1544
        5⤵
        
        PID:2592
    - - C:\Users\Admin\AppData\Roaming\spynet\server.exe
        
        "C:\Users\Admin\AppData\Roaming\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 376
        6⤵
        
        PID:3452
      - C:\Users\Admin\AppData\Roaming\spynet\server.exe
        
        "C:\Users\Admin\AppData\Roaming\spynet\server.exe"
        6⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 532
        7⤵
        
        PID:1924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 140
        6⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1244
        5⤵
        
        PID:1364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 392
        5⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1276
        5⤵
        
        PID:4016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 152
    3⤵
    - Program crash
    PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1296 -ip 1296
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1296 -ip 1296
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3840 -ip 3840
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3840 -ip 3840
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 3840
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3840 -ip 3840
1⤵
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3840 -ip 3840
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3840 -ip 3840
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3840 -ip 3840
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3840 -ip 3840
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3840 -ip 3840
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3840 -ip 3840
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3840 -ip 3840
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3840 -ip 3840
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3840 -ip 3840
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3840 -ip 3840
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3840 -ip 3840
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3840 -ip 3840
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3840 -ip 3840
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3840 -ip 3840
1⤵
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3840 -ip 3840
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 3840
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 3840
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3840 -ip 3840
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3840 -ip 3840
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3840 -ip 3840
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 3840
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3840 -ip 3840
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 3840
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3840 -ip 3840
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4488 -ip 4488
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3840 -ip 3840
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4488 -ip 4488
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3840 -ip 3840
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3840 -ip 3840
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3840 -ip 3840
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3840 -ip 3840
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 3840
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3840 -ip 3840
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 3840
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3840 -ip 3840
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3840 -ip 3840
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3840 -ip 3840
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3840 -ip 3840
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3840 -ip 3840
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3840 -ip 3840
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3840 -ip 3840
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3052 -ip 3052
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3840 -ip 3840
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3052 -ip 3052
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3840 -ip 3840
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3052 -ip 3052
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3840 -ip 3840
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3052 -ip 3052
1⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3840 -ip 3840
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3052 -ip 3052
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3840 -ip 3840
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3052 -ip 3052
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3840 -ip 3840
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3052 -ip 3052
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3840 -ip 3840
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3052 -ip 3052
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3840 -ip 3840
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3052 -ip 3052
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3840 -ip 3840
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3052 -ip 3052
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3840 -ip 3840
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3052 -ip 3052
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3052 -ip 3052
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3840 -ip 3840
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3052 -ip 3052
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3840 -ip 3840
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3052 -ip 3052
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3840 -ip 3840
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3052 -ip 3052
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3840 -ip 3840
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3052 -ip 3052
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3840 -ip 3840
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3052 -ip 3052
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 3840
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3052 -ip 3052
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3660 -ip 3660
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3052 -ip 3052
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3840 -ip 3840
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3052 -ip 3052
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3660 -ip 3660
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 3840
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3052 -ip 3052
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3052 -ip 3052
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3840 -ip 3840
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3052 -ip 3052
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3052 -ip 3052
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3840 -ip 3840
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3052 -ip 3052
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3840 -ip 3840
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3052 -ip 3052
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3840 -ip 3840
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3052 -ip 3052
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3840 -ip 3840
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3052 -ip 3052
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3052 -ip 3052
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3840 -ip 3840
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3052 -ip 3052
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3840 -ip 3840
1⤵
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3052 -ip 3052
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3840 -ip 3840
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3052 -ip 3052
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3840 -ip 3840
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3052 -ip 3052
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 3840
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3052 -ip 3052
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3052 -ip 3052
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3840 -ip 3840
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3052 -ip 3052
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 3840
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3052 -ip 3052
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3052 -ip 3052
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3840 -ip 3840
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3052 -ip 3052
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3052 -ip 3052
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3840 -ip 3840
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3052 -ip 3052
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3052 -ip 3052
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4704 -ip 4704
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3052 -ip 3052
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4704 -ip 4704
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3108 -ip 3108
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3052 -ip 3052
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3052 -ip 3052
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3052 -ip 3052
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3052 -ip 3052
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3052 -ip 3052
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3052 -ip 3052
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3052 -ip 3052
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3052 -ip 3052
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3052 -ip 3052
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3052 -ip 3052
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3052 -ip 3052
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3052 -ip 3052
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3052 -ip 3052
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3052 -ip 3052
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3052 -ip 3052
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3052 -ip 3052
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3052 -ip 3052
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3052 -ip 3052
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3052 -ip 3052
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3052 -ip 3052
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3052 -ip 3052
1⤵
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 3840
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 3840
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3840 -ip 3840
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3052 -ip 3052
1⤵
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
ad0cd3657214adc60b1f78a125768d00

SHA1
1cc95ed4514ef845edc6008155599bc1f8ece6ff

SHA256
54899a73dec0f75309d760e645a7149241da8362342623f6f4bd5e370915b7cc

SHA512
a7a05a50cd2b361905401f58bd10b7b9c3f9a5f148e5386f1c3dbeea27fcb956ec8a69cbaec3558d22154b0828beba8ecacfcf31724a2d58a5f3a88d3bad7ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
a0e2be30a4c91cf9bcdb6a2716a4b41a

SHA1
4eccac6cd313a7bc64bb737c892c6c9d832b070d

SHA256
684b59ee3cbf17ca76e34f6d207500cc7a604ae7675a3dbacc90ff5538f7edff

SHA512
e606733bf0f7668af8711049ba6768646cbf90d0809aa482504452eb6b4ed4d5e0b99694aa9d11fe318c202be78f49ff07fcdc817f526801c7ce167041bf89c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce6856bb472fbca354145c77407f95f6

SHA1
dd0947bcd083b5cff1132eb64c6f37e70a189a24

SHA256
3ffc44989c77ce6609bd01e373b98b7b7db59fe11ae8fe710a08fe707a8e682a

SHA512
29a8900f04217c150dab9ba21b3c72da4cec73d646824d5f0805d578fac16a6f8a2cbaf0fe0433b2664cfcd45b1957547903b4cc50b499101505162f944fd47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
60f05be250e7f5f523191eb7e532e624

SHA1
ffec5cb11cd103b4606a2ca92bf0d5a96702cfa5

SHA256
9534166b0742c36d3fed46da8f426bef0eb44453b1af1d0cffe1e547890d8d9c

SHA512
a719f80980621800d1a66a7558930c73027d66fe25710abe5bbf0101531be85823d8467d7b6146b95d4bce1d86512cac96547f548066021b2071c35b519b081d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9435b791e53d9befeb49d8e8c8e85988

SHA1
94d6397958f98771231ad6dcfc3a3a3d3594b5ac

SHA256
beef0c15328e67cfff578679e2f8f97a42725aede7f85372e46a5e48ad245a12

SHA512
e0401af096d6e6e190c66abbd23a833292ce79efcdab8a3eb090d64ba9b5a684cac4fbd5d535b4bf0f0b6fd2d203af2f63034b207b9b46ed327be1fefd8a4644

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7c6cd4ffb367ca0307763516a99ab0c9

SHA1
350e6d4c7d6805d021f2f6d01f640594a167cde6

SHA256
6537bd521fcb16dba683c5340afa6f9a78d142354d1c1a56f9af2a70a65a1ee2

SHA512
27ce8750a12f63ba2ccc106944fd8af870e750b703d7869429f8c338736e9e656eb52fa74f4d138a3070812051baf604adcfd19f79e3918d8cce50e1a8a78a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
49fe06f2844a298efccf8ce3f399fed4

SHA1
0b1a7fb32a48ea8713b2f5073a64d7f80abfdb4b

SHA256
cfe44a160709563bc0238fbbb342ebdcebb564ea0156613bb897602f04b07dd7

SHA512
b00657c22b16f91e2ce4a512de4173b1c96518ad4361a3e12c64515a7e805aaed2a0e4864b2e0610438eb164d799e08dff37a4b940b144f99cbbdf1895148ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3ceb6677d9959b7e498475f962c4db3c

SHA1
0f76bae99c5bebed937b9f7664f18ab7ea015404

SHA256
a2bb9b431c36c6a571dc0ef363725becbbf36910d42ea47ad8cd0fdb254d9518

SHA512
2d5df9fadcd3b4c334c3b4260b30c0c3962e13f5ee70d9ada984c561f026008eb3593c54f5f335e2977e28e8bc52d25c5a2906e0b4f081fcfe25f97f2631c30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a0f22905756005132eb3dad432c822c1

SHA1
587833efdf516a49d83f04a747af37ee6bc5bc99

SHA256
f14dcedb886412dbf14b67c868cb418868fa83b0bc0ed8d21dfff544f1ea6437

SHA512
f10c96d06213a9dbbf34dc8ae07947342a7f96e3a4a2790ab694fb8eaff693700be42d392b572758702aa1f2888a22e47d45dba33ad3ab3d2b9f93462f4e2699

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dea3eca552b7000d6714ef39a4c6b54e

SHA1
9ed0f876e45da620982d2f7b2aa210c3b2778b09

SHA256
ab31c4c9815a7098fb836bb89ab84ee00f81d2cc29f0bf04af0672758720d471

SHA512
ed8697eedeb878ea6610f9447957db411f40592e5a434d3657732aecf510a996f9484b12d61e84be16dcd6498944ed37e77b49978679cb86c2bc96848411cab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9bd2bcb61fef1090c7a214e7a36ffaf2

SHA1
b9a061c579077e5aac225b474348896c18f2fb89

SHA256
db9ac2ee7cb2e71694901c09c763844394a2442c2a962ea0dc8aa19515c4a950

SHA512
5eaf140e40f36d74b9b1b6bbb994b394099681ee6dee6265502b8b3906d9a4467172069cf878aa4d7b8e1099bd541ac569bffbc415dc01a3038cf0b6f4f4de54

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
37f92733acc9a4b2bb6830802b668924

SHA1
985b4da895ab583aef86232544269efd9c248194

SHA256
092aea1f421b9c148c26ce154ca99b79e010082a7b22658e19ff22d2f0aaebbb

SHA512
474ee0fdb31645bbf2821e7aa2c9e3c155ed1d144b560478860dcdff3ada1a4255dd2d05ce9c215ad65e425897c33938a74bcf9f7c2bff428765776f9bae4cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
13af965aa3a11cfc7514dcfa9497551a

SHA1
d9046fcb73682d301c2d201bde436f67271e95b4

SHA256
67dc1f973a5540c1abd2352d90279b4a538867a26b13e267f3fbf57fdd415760

SHA512
e4998ecb3b9011b7bce04a443db213cd8187c175b220c0baf6a842a009c445907ee1369304b8efb8534fdbb106b44487fb2ae6c602404a1aa219713868df9a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
73896b1b0affe49324f6f1a5914264e2

SHA1
7a3d6a02de9afb6bc046acf7e548bc6fe3181b29

SHA256
5f3d668859cdeaf3312ac1864f967d6857e56ce37fa11bcb5921d3351bf615de

SHA512
8ed3cfb910b566ec07d6e478821390c104fc20b2a2991a6a112e105903e5af303e4941361d74ebe7c2f6423e6b1b7f81b603a73089e5d029fd65d7b0057a7a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aa0abe0c5a466892f3145fbc83fa6a2e

SHA1
83f95cb7955c97bc9659f6e25132b2ec09ef7997

SHA256
523a6dbfe61390cc50a4b2bbba19ff185ebfc59ba218fec49405f82a44b4c231

SHA512
dfd2a14885558f15b8f2133f9e458b22bd35388246320ad92920284977673c7ad03b4d5699472641288520eaf5920d0c37432bf88c660b6776a00b366a5805f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
edde80efbd195801cc336b3cacd7fb36

SHA1
a845b5560f66aa7ebeb3f05cbe0424b709f6f527

SHA256
d95b731e265cedb6d293da67c4cc417305ce3b648ede6fd9ee20caa1d53f22fb

SHA512
ed769221b0ea175a182eab4d1a03daf4a9696cd57f7e1b95219024f7c8e672f662516f5a59acf4c4ffb5005c4f30816bf12f780e83c9d16ac1f4c0161d3a188c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9b35c6c8bf95fd08160a22c7b45bf7a

SHA1
8a228ea8613f1c9ad59fb2100e822ec8344c8f7c

SHA256
dbbc577d0a1074f37fa0f653631b9755e962e56104e1fc35cfa27fc3f238caf8

SHA512
a05e5a35d2035d25bae1df95cd62ea1388d9c13a83003787de82374d94e8272383550515e86121fbb336846bf1134e0dc4393705be52101355a14e2d0891e39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bbaa392e39b579b3d4d3004c33c0103f

SHA1
f5874eeaaf26a164b22c697c8ed01c4531646a34

SHA256
c6753d0f34ba8680c547ec5f14744ab873bc2bebc5d05716c4b1e6a9b696b10b

SHA512
cf0a307a648773e3600d9bb3fc331efe3bbaa098f4e24ebc27933a06ed3a6f58bf6c3f9e9db9672cec0eac803a870df157a044bc8be3e5abd7754560573c20e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c82e5d8740d9255d74466b17498a6e99

SHA1
226833c2a2eb0ec38ab30e08c2cacb1ee550576a

SHA256
a386d64eca6a1bc986ab178bccbfc230872fbd7bc506d22366d7c17b731a2852

SHA512
352ca0b671b2793e6e607354158d9d44040aff8b2a20bfdae34119acc8aeb740b4ac425dc2aaf1739c672b7a1e481f7ff45c5ad14d51ad9bfdcde8ff6223cc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ee3153cf8479fd5c14b05f3276b7a73b

SHA1
2c08a7314fec0b659753c2df2ec7d66d9c7a9fb8

SHA256
6e7d0e1728cbab9c92d1b55c1843bb64e440a37cea19a5319e7474d15448652b

SHA512
b6a11779010368779a59f3f644f6b06e90b7484b1ac854fa4e4e7ee03a7aac7ff760e680625309b24a4a78ee1492f85f5addf7da9d1150feca0f3d9ec666ce6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aede653ed567a57bff71e4c1613d16c7

SHA1
e821ea62385ff62bf976a76ba790cda9bab27d6e

SHA256
1dae8551b4a6cd58ad4b7993ed563c54b4daa4bc3c67e3066638430b310f860c

SHA512
0221e65308bd76f4032d17bb913b0f3f79c7a1a80de69e9715b76565ef174632d92b8ccb9886d3354b58ae204dc92e3af3d2e21f725041feaa1bf261a1d47461

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2575b5a9372bd7e2aa05614a1ab989b7

SHA1
06087ba9b76117f36b0547507298c5bb4ae556c6

SHA256
5522f0a51866c6efb127a2637c6622e0b533ab625910652ab21ccc981b6d59ee

SHA512
354767cd83dbb319d04a2f8eaa71eb9b506cfc9d6ea19f8190afc96e014fef6346623ab67c6ee856794eb00787041283088624ff25be9ae410f342230bb1bb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
322cbe2d09c9f0464fa7b17790da71cd

SHA1
9ecbca4c748de2c9c4c9d51f40a85ceba09933e2

SHA256
acd27fc1c8db843ae7553bf259854397a874a5734d302ef7fcd01fef0f7486bb

SHA512
89f172ae03f57146b8a0901e8241547d6e1cb4476296d06f085eed5bcd984850eb0b48dd2d086e5ca909ef380387b23b6c3c33001ba44ac56685e0dec67bc618

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a50582793502e0c4bb847276b159be6d

SHA1
5bc440b47bd56a6c6f205204ab220bb99061d965

SHA256
f4f5c25e53b3d8aa0d83784162f51c59684e9e7f679e8c612cb612f76630f519

SHA512
3d47f07d912de55ad427dcc61bcac4230d5ebf773e6604a9859725a6ad8af8b3e9e140ca7125acb99f02534ed1116b8f7607858375c7b0c4857e343226555008

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
db238acd387aed5f56ee549d4d247dd2

SHA1
582204877f6fd50957e0847aa21c7c914e6b46dc

SHA256
d613212e13fbb860034cbef03831c4810d1c98df447c954f36c93cf03c60e3ba

SHA512
f2107e0cecf828286f85dfc5646c43306c62b6faa24a823fa865f50b02e272851c24271686d0d2619167a13e083f81d84450ba4104f4f97c5122fb063db73c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cc4542a2c72c4e55f2f5d674a28bcd7c

SHA1
f5fe8c9730c64fad440b442bb6e8527bf433e850

SHA256
02ace1b615364040b86550a7fd52eea1e1b5d6caaeb4d31db7794f0e7aeb7f52

SHA512
12a7dd1df58e7e3dadd06a62a934a27cda1126c67662ec2f802514ce17a27cd27f0b7c7278ee5ac868b711b9d00499823f706d10cf879733db3b676eaf28aa3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2df90986d2895f996000e30fd24d5a36

SHA1
58b9448863c8e80307ae18ee7e42035790d86470

SHA256
1eb7594f2328e74fc27d9121f38e0f72a27c47ea00deda1494fa36f4c1f6d3b5

SHA512
3b288b31951873b9b34d18af3f5a53d981dbd0f22a6f5a36865896077d3c7f6b16eb93ee0c1a6d08a71ee338ee0b5917643066f78bb29ed11b27a3e47ec4a43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9b1df2d5cf8f9393a63bb2195518b09d

SHA1
6fa602daeb34a56158a0f833c39f23e1bb334c0e

SHA256
28040494710bcc812c47b875b5f9eef83b4a6b07e49ac263e18c5b29057579f5

SHA512
d181e1c53cc26d4e2599f9ec87d057984afab7703e3aa8179a3d7381ebf18077c2e70e9a636c4cd2d3fc94c371643b36cb300aedb21c5736954f1c688794a6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
02526161c83e76690650c95a19cdef3c

SHA1
19f3e96d02f84d8628f9df9c84b5db397b53acf8

SHA256
18925ce4b2cd161eb132ac4e418cb125c4730cc80f12ce60a1966cf95bf4377e

SHA512
1d4e7dccb3a2857eb43f59af1f66bc62b534e7fef758744a9923108641dfcdfe3a61c96f309e378b5fd7521fbd00efa85d307feb27281a1c014038be7db2e0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c416fc7b83e5a8e6d7440ebbbd52f2d4

SHA1
e536a011a9a08888704cb1f57afcbf46db28b807

SHA256
3effec8ec03ededfe93c6d6c75bcabc57be578a5327b86df89682445d6bff4d2

SHA512
a4929e30a5b6623c32d0a7a3f30730b9b67fb33161d62a45f98949bf380fd0b950c2c9824a04b036ebb65145057dcd8f53a9e1d553dca9589704c983c899fd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b97b8f0d6cce278c2b022ad2b4ab129d

SHA1
c41dec74f805d601518ce41f8b2ab7c2d40aa058

SHA256
0acc366c55296b4d201e778c6664f54b597c9c4ebb25c68b214d804bf9070cb9

SHA512
2a8186ec3a18bb7022b8655691f5400a4ccc9f2146576312f76f930806499d1aded3d19b2b66b13783b577f83c7759a44fd15178b65bb07f985ddd4f22245477

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
88c9d1f0595ee8e2f63da5999d92c315

SHA1
bdff733cb611a5535226ea96e748938af3c4a3ee

SHA256
1cf7201308faff5d18faecc8971059fe59434696dfc5fc5887b61d17eb66d406

SHA512
4ecc91259fac579becd7b09b61be2951926650647b9aec213b126e72957eb338f6c139cbe308188cc43336ee8f1fafeb60e0aedda1873f1204a1d81693873252

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7434ded6078498a6f58a69a16b53bb78

SHA1
116ecf74556ae3cf72396d37cd48dd0d5f05c730

SHA256
f6df9005d4ae9d13a4743b341d792133fcf4e53319d9491bf59c2298b1170f07

SHA512
cde6f13f0fab5d54676e770ff776d840fe3e21fc7b5249722cfaca6bebe6e374411f6c7417bfb935a954aa56566437acaee323eaca913bd68ec869a52444547b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4610bbc6cd400ae0843e372943c07f62

SHA1
9419a01adb59a3277f073c595f82953fd50d7a68

SHA256
84b7120ef5f22b4e1926037d6bd7c932e81d1b28562e382178697823368b3948

SHA512
212ed848925368ccb1b7eacc87233bf92c80a37010e7730ce91c7942c21a58fa5cede9fbc32a8f23e5cfc803a1ce47622ae671a8376fc9ee15348d6b3f12471f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
489723ea35e1d3dc6c5547ab9f87ad32

SHA1
254cc81fa0ef280d58fce5f550ea69fc3fddeda5

SHA256
9e1ea05640c8881782c827235d67717e8b83c1ba8ada97321f1d13382b7d330d

SHA512
0638bc3c88e1de9b8c0fd057e91ab99086fea71ec2c4f18435c9c8c19c06d83a0ba6ac1ee86a69c1b3925cce38caf32aa8b703e535795697ef207695d3e02c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0e9a2a56662c1cc6b341095198dca984

SHA1
36610dff3567842e01df1d59b1f1213da63173f8

SHA256
584d95642a4988cb97987e3d93f6d93fd0724da28e62df46a4768c410912f7e8

SHA512
df459ac15667e9bfaf88cf93ddbcc91a451dbf87d12851d0c22224da2a10e932ca934c456e17a73f9dde07676854c342f1af75a48708e9de93410ce83146f060

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
92224e253ab449fdfac311c351e17f3b

SHA1
5996908b68ce54b3d16113bff5cd6bae4657561a

SHA256
c54e03e35d81510ae9d16d4eb7f4cf86fb77f992d4f9b837887477dd32d1206c

SHA512
e34f4b2d72c31e831eecb8eb4338c421f19e55961cdcaf08ecacecf47a0e224bb265db49397af42e251da1bff60be817615412859c8f164e9409d376f7805425

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
73480d6f267cc5094d27f2e950a47d9b

SHA1
d44139be6e8763dc67b026e2fb264459902115ed

SHA256
98daa907bf41d33291bdde7ca67e490ba86e3385054930e6b7f8310b1976214d

SHA512
5734314add5d17e4ed09177ae050c9f1ad2277d15854cec3f7dd7a4de02746d7c0e5464c339afe3755935fa27ca217dc2306a485720453a88f698000ae0ee226

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f8448fca3537144005bf6080005bdadd

SHA1
25d876d5f3b8a505ac769c7e8599954b84ad6ae0

SHA256
85a35cf89d8910076e202db3ace240397fe5a977109065cb687b09efd008d26a

SHA512
19f56885683102a41c5e119d4ae10d26057b53f90814f70ec09e193992a84083b609c980a018ed44aaccc42be20f765837f7ed3953ebad4dd92230a59f978b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
73bfe27a5d6dc05b7ccafca3ba8baf00

SHA1
fdec023683878611741716f6d2c0066cf89fe38b

SHA256
e5af12892ff05b5d55200c01299ce677a2e07d452652729fc1f5483cf5190bd2

SHA512
8c6669ad57e39d07bdc0b584234ca94b05f66aea537b6a19dfb7a28b8c7668eb1a6070e84bd84966cf054db11707e0aa20f2dc7fa22d223c4785a4210920d728

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7df067d5cb575335edb6241e4893b619

SHA1
ea2faae3fb3e84176916c56e65cfc2a3c4afe41a

SHA256
67e9d6339c94c96d169672a829e6f575ca26b6074af0a1fad2f94aac41ea742c

SHA512
584f1fc0121082d3cc273e45ac0e8eefbb77db1fad267c4b8dcc07e6d49e626e6f96a4ebcee4f93ef5c40dd887acfc293511461484704f548d5f1ef468958284

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3ff2865f5d9e8b0815590229dda0a46c

SHA1
dca005d698f4f7f7a80079b3729d6d2a6129fdf9

SHA256
7c742ab4c6cade8428133c212dd83d39e2d48b6962ecd71f50c255867c04ade2

SHA512
f0ddab07f7c65d82ceaf5ff708c7cf38c3db79e95530ebd0a8b1bd460efe390793cc14616b60666e6025c1840c8f1c11013becf0a3c2a3ae64e9a91bf558861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
68eafe79926b4d266259c303af934a9a

SHA1
181d6599be1ac2133d9fd8cc807d052e12b11916

SHA256
f602509e2b1e194f490d49265fec9c0f6f5d95f2825932eab8b37693f1a25419

SHA512
5053e51b16b6c0442c70b3c4e4bf0c2a722cb98da1efca623689a7c14d155830ea15af1f8682a48bd1110c411d86f5c8565b030863bbfd4d02e7e0f6cd6d8685

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aa02c250722732eb972bee55838956b6

SHA1
b6a7cd6879050d2b648b3a5d02852dd36c9bc667

SHA256
f09ebaf94bea21e4dc15d1be5d2ff82195c39be025aa86c112bfb8af6e5684c6

SHA512
e1cbbe98de82be0af12771ba379c3084a74754e5196cc53197c80ace2ef0cda7eb5fedfa77642e1664ff82c9c007843d93f6a5fb86f560c285636789a647bf47

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d55e29f072522d019758c250017105bb

SHA1
d24c93c2df9bd76dd4c40eeae03ca978ff365a14

SHA256
e06b4567271b668e93f99bd87f2dfb6082ee6699abff1c0d5d909fe882a79b68

SHA512
94fc9303fb93a50aed2216ff49b30ae8a8eeb6f9b1dd82934f47b60038a507789a33d31b12058afa0b294c6c436594621eef1c160fdac08868d8ad02060d8f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bc252d52b40cb69a3000dfa8d9b9e404

SHA1
c6b7a364e43e2fa721c71c77418042bd55c5a067

SHA256
25e04cc62af968946affab1d8a23c951bbddd0eae8436f18c59d8054c4b18cb0

SHA512
ca9bea5456fb820220f249b488ccbee9fdf1777b6af1253a304ef8d986d5e5615a19f7eb4acbe20d96d7865f00c490862f54ba99732c66edb3e825f4ba9932a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
35abe147e265582c5e538e61c957ee94

SHA1
04fb600ef445023c70537d3d6301b599daf691f5

SHA256
dd080a34c4cbe6e52b0bbc742ba2ac31a35a8619f64b96f94ca852444850ee98

SHA512
87d7983bc901211015ca3f34655c67e15f0cd48e9c932f87ce12f1c82d3a7ebdb2aea4df59947c22f66b1930642e48c8e8eadf486d1d79c2fb9c4b0a01795e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f9329bce59adb664c911c98905ac39ff

SHA1
dc3b243c095e9a9200b54eaa3590f752e3405bf6

SHA256
558c99c3fb2faaa6c2352149ac617493c26c735d6681dfeda5a80ae3ebe16d08

SHA512
fc208f8a8a78012998d99cb947717bce9ae8a2b76a581bc9bdc63ed51a71d0cc399c8d61a5dc1eb5ce18dbd76fd5fed70d72f84596ef7a6c3f3a149cd9c8ebe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
700ff4cf745042660df31afbd3d6b592

SHA1
f794fb3b1af337c092a9f13bf899067d86cc15d7

SHA256
87e5b801e5d748c7ef7b882079584c5489417f46b4036a0991f8351da53d9cae

SHA512
a4bf475a9f0fc4cf713b4a54c8c7244c833ce220175d7ddb334c9df32c9fa916aa0e16fa6e1197d77384fad02cdb3395a8cd6baa3a9c1083f2aa2970fcb1a871

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
68310f07604735a6166b4290e0fbef1e

SHA1
7af81ba61a1d5e78512d724e9608efb35fda13bc

SHA256
21cb9251c460a03853a025f3a9426e51ecd638ca10825d21de273f4e4cd7b17d

SHA512
08446520d0ea6429fc7073d805c3d6b3eb969f1ed1877279b594696ddc36d0a1e33092802c8bb310f7df94ab6e32f1be1e0dc0e99207f11a317d4298b31ba308

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c409d9f124e43001845bee73e9bcb607

SHA1
7deb8c0cdbf3ea2ad150bd389fd47d86746086ee

SHA256
2817bd50655f1bd087f4b8a49024893873b6a393b34ad97753e95c2b1b29506e

SHA512
c2b4a3b2bca82b9743b087d6a3efd0286c49c0ddf6597520f370656aeef3052673539cab6f7befbc6ec6dda7bb2425f8442e9d92b7b3ffb2fe12d060a6797ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb933911510031b7822619694de167e5

SHA1
75ca353b4886abfb784eb75db1fbaddb8c6e010c

SHA256
1e3115b59a1f703d96cbccbf6d7a116fa4d4fa5c5acb22ee1d093cc1af08cae3

SHA512
26a3c59ad12b513f4880f35cdc6454fc9cab5764424e8bda0455a68356a4b7e6be1afc332eec4a4e6b96347384bfb094bf5398d4fffe6b446592eced7774882e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dfabb71ca2dd114b8d3224ca0bda5fde

SHA1
2b70f9c2ca4132352f683fa8867e90921576f1b3

SHA256
bacf4d75836bc4a32614e4a6461e3f12fb5755465f8e68feb07f4e8a54fcac6b

SHA512
c073d4076f87091a7840dfdd504eaf56305357c4f85a8ecd467bf3bbc4969dea9d9167c441a9a9cc13f3855bc9492ca5d1486aca2f92e6c110b176045e40109d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
109114ae8d57dd769fc5014707e1500e

SHA1
c0ea66baea6d36ed9ca7b62cbe652cb400e5c2c3

SHA256
aba8dd4831f9faddb757c596a1afd516bcfab794aac6db0170bde240086de961

SHA512
41f601a71c079167ba9a1860be2379f482c5e50d6c61f3c4a9bae0e59e87e5ade9f8911006a1bd15e6e0ed5b9435f61275ac195b2ed8fc9fc42a6cf4afdd5a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bba19be0d727b3f05c5d4d8d171de4bf

SHA1
cd96d7e862d13dce467a27cd6a6ddf5d2f8c8e7a

SHA256
788c3a149280a8f239952463f51890dce41b557c1fa8a1552e891e7ea29ddce1

SHA512
7f46db4be9fd30effdfd6ab0e4cef9ca806e4f0b8c2132dedef51b90c961d25246b8ac6a58db7bc1fd8bd3dbec7aadebb270f49261486666a7f063f84fada353

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3341f83bdba64684afee3849f2a56e69

SHA1
79ecdfdc23bea71701ca687aedd5b85d300d6c08

SHA256
88366368af9518c90aca666dd45fd626a09fbd84d650bdd390c538aa6f446db3

SHA512
d9461ad18d0b0729e31bc910f69e0aeed8246ab8628b25bc6649c10b5061b283500e74961c616293e85f87b96d7b907b84e5c6a434e2c2e292db5f0b66f27357

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
24f734e0ae2fe6207f35ebfd38dfde02

SHA1
278d235f77906756e9fff09c1c050b3f25af8786

SHA256
4e2ac58667d05c385a6f5ff2b1be62186782f25c03db728871fa022c3f2534cb

SHA512
12a137e30022814875ee4e21407296f07d19f0d91f339542e421a22ba7bfe5ff9d7c486ae7f4ef5799c37c0fec641f9a9fb777c149f0aca2ef9c3336e909ea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
565cac2bd435d05bb2dc41662fdd0032

SHA1
5dee0453f5557d5efca81be01fe152b43771d2d0

SHA256
456f386f69879bf5b0361f924f21db99f2285534a8e5a3e9780318d31d3ac577

SHA512
2712ffffe758ff38d81e24f72869077bc5aa50861ab2309143938b0493542043ad5a036727c7f87cc777023730fffa68176006e6f864d8ea14af9ad5b03185d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e123eb9655d4d0f827944b40baec1d0

SHA1
eb9a9a273c372dfe9eb20693f294c57aee7780b7

SHA256
e5fa08edbd672034106d3208288d618b5eb8eb27a191ee6ad6dee63ef07a6d8a

SHA512
ed491eb7ab3979830774e60bde91aab1efb1832caf7efb22e2f605e0ac50c7928bfca8e5d57ac6a869130c041dea14c6f649bee8ca61e9a8a2eaff42893b3b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a02b949c9428d806dbca0dc0a59e4dc

SHA1
0cd5d817e7882e420c6b33437bd83c2997949c57

SHA256
ba20fe6638b87dfb509447512a753a6e44749324bb8652f4b63a3f3510c55a46

SHA512
43b448840ebeac7f5514a6e283e8b5d59b71618b63862938fc1cd3504facf6bb41a7c2f539dd5aa9fdc173bef053028c9a326f3875950ccdb7cc89d6e56453cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b19b743ee38d901d16eb37cc5befaa9a

SHA1
d77de8e93c6cf9dbb20cad3c7ed2006be5f539c1

SHA256
0a334b53611b234431847b0568303692053579c9e383aaf428f7a1e90cfbbe86

SHA512
e758c9358b8e8acc960f3309fb8abb6977bf9583b8d7c0562af5550eb7c790f47343df3db65e5d145e528bcd191b7862f8783ad09343bc45d18ef95810df4cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b39edb852c6478042dac485e503cf5af

SHA1
00a21e6b1b9b3ddcbed32cb1b0249fadb998160b

SHA256
87f8347e0abf9de0978ba136a6fd199af5057f0ff0f1dd8ea57c47d13c9c6fa0

SHA512
f1181a0fd985b99df9f61a1e46ccef2194431f6aadc76c862c841bcef59a6a66cccb75fe36b3a1b8db3802c956b0915fa3a0e68bdbd7a5f9f9ac475c290034c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
848a0e3c52d985ec65a482569598a474

SHA1
dfbe89810c3dd296900ab93669b761f8b8a091c7

SHA256
a6756afd0857c8791c91e1ffcde2e0d77cc0f7fccd4b991696a216e2933f0f08

SHA512
e7090fcfc6a6f24f2bd1df31338987dda8d92f4d8cd3a8ca7388152b4b79b7214a4822d6d5d987bce17267b3abf7ab1178c022211debcaa193143eea219aec48

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7cef900f34e65a0349a6e94777703d7f

SHA1
3e929331550c33bb22e177efabaec9cf783f9d35

SHA256
7de8922b2541f2f5f4476186b737cb411ddb1f074ab4cdf0280196939b3d58a7

SHA512
e5845d7e534a69b9fdb9612b3a4110779b2ce2413b39b83a70d4952f02dc4e37dc3a11d58117c5cb3e2d9aafad58b728c50bb5c6739952229f0db36e94e92acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5bb8eb4ce16c44c6948846ce2b8229c9

SHA1
fb059d84f1939012f4225a90832228d1fe3a8c3b

SHA256
b62d325d311682e8513748dc533023eb5e1adcb696ca682097d9014513dce775

SHA512
be42255ba31a9822deaec1a86d313ac45c9a21ee717301f9ad269a1b650e152fb1ee4f5ae395ebb9f37e118ec5ad3ba9adfd6e5b96aa84b2c03b30e3fde5f435

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
48c05d9cdcbf3af2a7a1dcfd7c9858b4

SHA1
e12cd4a3300816d0a31bb698e887795045d7d9ec

SHA256
f037fd4f2ffffe1da10b2fd4793b4f0f04784d76d9bb778058bfe920fb1fe25e

SHA512
3506dea89b9b10829f1e5feded73b72187286b27aca0baee4b8d915a05d82ce1285af0aecf2b62706dbd4b88092c8f43ac2deacdfa651af2b86a8efaa930ee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
968b3c01e2b030d5d20b9470763909f1

SHA1
5f712220a6ccc1739bed2fb990e055468e268169

SHA256
f0a312303d8c3104c7c286d52f23ebeeec0160dabf1a75fc796bdbb3980ac424

SHA512
d80b31918b32f538dbe69b09857e5baa39dadb1f59c27a47fd0d95f7da48391d26b77aa2b1befe5c83610fe3c8011932ebebc53c68f46b25ad2195aeff88e379

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2edda0a896f51db8cbb62da209ed044

SHA1
99ed607d07287a4076a96a1c7a6b033a8f08c4f1

SHA256
2a55cc773d514ede1698b635f1809fb12c1cc0732c9a3adf5c075fe8d54c4e22

SHA512
04b7a97f36a7bd1dc012d823dd7d2f31cc2eedb88819b6ec4e3d409ab0e4dc08ec2bfa4abc5089bf502f76254fffa729645b55809f7e4f5cca6d7b13643cb603

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
997f23e92783433019a8481b8de20e6d

SHA1
a28470e5d9ce5be6cc217cc4df813a018680124a

SHA256
c883515c528572369e0116b292f611382bc39c8308cd5107fe15b8ca2384e824

SHA512
d0f9a9b4f4e5741de643621d455412bf71ddb296f8a262dcb53e16db9b3417d3ecb64d3c5b43772bfb39f3f8f1cbf3f6f653c81a31f5d938756b02bc95b939e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7bc12567e8800001db8cdcb007e8c6db

SHA1
87bb7ce36ad2fbf892272177d0189bef78486648

SHA256
2c1f8c7dbe3a7a38528fba17c4a64515e69b6ff87008acc2fd421cb67747478c

SHA512
7428be07b8b256e40702ffb3262970b7bacf103de49573cbd7d4a642f6f73213cbd8b22ab0aad9eb0d1899d5118049fea6c7833f50a6898e5b0fb60305fd773c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f621030e4725cd4787b06c47c217e2fb

SHA1
70c8c22d0e3b038158bffbc3decb50edaa806ad1

SHA256
36c0c6f76074290c0390ee9f283ea6e66b57573afead56839d77774ba8a4d0dc

SHA512
f436ac06f703f01c8cb94d37a5aa19f29312813822bfd971abc4e6cffd47e172a068a809a40944c4303652373edd5100ca3587d79592f7a4e962007b7ce57007

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
47df1a729a2dccdc4e853df61b1bc461

SHA1
7a8583cc713a42a7bd19d57b1c333df93819c219

SHA256
f5c9899f850e70da6e5c382045b186e1905d47bbd650f2665de859085c254a29

SHA512
0627c88ffbba1942134d8766de7a786d9e5e47b45e4620e6d4b79cfc10b42b8691ef2d682cd74fb1bccb832375bc02cce6eecd2e4ff829effcea2200b6bd3b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
777c2f4e489b0a5df1d8eb52713051fc

SHA1
d0248bfecd75d0d1c4ddfdd9caadba923ba20cfb

SHA256
06f0a0128a1a72bf31d567738007bba07aa22611f09096862a969f516b14c819

SHA512
05e2aa4a5788b168b5bf8ff7625b2f92a3b3cbdad572d0e2f852c8b9f51197c46a0e84c75720bf671d1116990d7faa411e96b26c7d9f25453d0ea69de4b65127

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
893f60b611274d1803207298cf26b1e1

SHA1
6ab48bd4680a3d02553b4352bef7a5518380da1d

SHA256
6c22fb0793a7b0dcbff221db56f6a118e9c74995531d0534376f2319d04cea7f

SHA512
a26ad4ee17420e5838334aca3d27993c6ed05431600750a54086b300b8312f053d8cf3769c2549a0e648ac7a6e84a9b042ab30ae8ab5e1f865be9e0fc0b221bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a79be52f45ea4323f108f8b149d5ecba

SHA1
8b0cb03146e4a94a64a36a52fae50eaaa8e8c42f

SHA256
8b7e103a19dd093da51d00db4f26f4ffbbeebb3a25209f7abfd1087489f167aa

SHA512
9489df3a82eca50d90a9be6666b52933dc51aa36858f2554e5b4bf779b3b45102bf13aa51cebf81cf2591c6585649a70e0d4a32ddbd1aaeb16c8a9e677217c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e2391ffe1a4efb8a66015316d5537d42

SHA1
d51c7cd7c1c70096665218802e8b7dc3e73b81ed

SHA256
0130af39bfc84048ff07d62e3260bfaa007a8aed5a533fbf1f92c0e2248001fd

SHA512
0ec7db754da57afca87c81acce6b7f6f9a62bf6a83cbeedfc58afd324740428946ece58e407e6db034166949ef76705a6bdf7ade90a396356b14baf190dc6cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
21bb10a7982b5335f7a6132e3846eefd

SHA1
0a731b4c55902e12fb69ef32162f97b590ef6ede

SHA256
5a66568f3096622f199e786b9b3b4bd90db3fa1b405484746b977a9f609eb324

SHA512
5407514294880ce9a2eecff9ae1a396aa35fb18a7c261b73d65b41bcb5b4575c4baf35373a6bd3e2a8aee4e97bb768d83836c0d01989fb3af7a373f7f7d4adfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fff7a471642626fb3b6468ed8cb6281d

SHA1
65da72f1c8e49a68ba6924dc558ba16300f84b74

SHA256
b7d185c983def673bac1a224cc5c428bb9918d22ee2ad758e84d55ee167024c6

SHA512
9f122eb8b0ae0a0870c532ca3dd2c7f3fb101db6bb352fa343dc3952ae29a29f5ae9bf20e7ae60fdca7625e7d5e09e079c3646a474253382c14946c2b48c2162

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f5be9694ade5ddba6dee67fbfb6ebc48

SHA1
3225bd7563ccf370c2a35c0e5645edf4f378d922

SHA256
c05e4003c4062801917de43370a8dbf3534968714b765b24523036a447dc53fc

SHA512
e516830ac20abd6b3f574a2073f9c38ce0cac7371b00448cc5db7e260ac94b86032e97e6feaf1595facc297747c8bf23f0a3079aa12f4435fd76e7b898fcb5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
41f251b0ea056ed4e59bcbafa007f493

SHA1
e77bbcdf5540025ce37982f88083da4395b17f9c

SHA256
d8d9de196d21a46835818b2041e87bbecfbb27c65f6427650b18ef81bbb1a33d

SHA512
f7db5c88b65caceefdcf3ac3c14b9409b9c2d1633e953115bb7d7fd121ca30e1af5279c76b09cf717d0a7b729412acc5a7ef12cf63e9f9abc1444c270e97fc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c9607ca77a7ffae0579fc3d751182686

SHA1
51b8eeca443c20101ad0e997458e1c4de5f5d94c

SHA256
44c9770c3a5e61c25af60e73da1313f9d72024b562f76594f2e51c26baeb14c8

SHA512
af81deefe11bc3e657e2e1072c55ae726c06db80a5a3a133aa28dd1a4dae52a82b0c774f5ce637a96ea444687079ce3c24057980dac353ee429ce30a311bd8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7a0a6becb875c06ccb87f9b03e56f26c

SHA1
537facd4d7422d85d339e049fb59b4d44d805ba1

SHA256
5ce6d7d8172b5a0174867e381f56d434eee1f8d02f5795b9b8dd3d19685d10cc

SHA512
6196613c3ab75791cf20ab7440fd732b532271aeb21ef9d9744cb5438e7afca5bd44c3e35bbdd6b026c57ddf2fd9025d5f282bb3c8f130b628f1677d1ea60259

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
758988ce2b78c95f43d8f78a5ff3dd12

SHA1
a288df83fd6e5287f96003eafbd494a9bb6f9ce8

SHA256
6afc90c95337bacf4cf323d5dbd16e584697547ed019c92c382bf9dca547e51a

SHA512
d7e7d12b757794e25cf16ef0a5a272924f096970f4578e10d274087ad0c346f5093a7cd85792e8fdf06008419ac0efe697485a1a95c275ee4649d9a201bb2479

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
846cb6f221548dfd1f9c09db6f101d14

SHA1
a2f6acf1568de6a40fa15c9a968ccb434c06ce77

SHA256
8ddf76054da333e5d0379d2c7bca9a9edb2e066deda81663d8c0ff9d3d948d2b

SHA512
48c4041fa5880a6ff7c33752fcebd3a2237ab67542a7d950e292366c0f6526cf8531a2649acfe596a1f8784737d379c9f6c0e1d1334de774ffe80724a838f5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
469e41ffa391089b167e40108d0e2d67

SHA1
31487f1d97ba288a64d483ac1057310a3d45b780

SHA256
1b52365e3300247fd6dd580db633ef589523343966b27fad408728b17d9fa55f

SHA512
dec8c3cf55d6e6708f1a13b8bb8473779295dea8cbe062b0fe5c6393ad6e532fecab3c9ebc046712e2335174d612696dcd8e9cdeb056793c4aa20d28ea1c55f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0d677b60f0a29f7e2dbab239baf22701

SHA1
014872182b83b1f46c8276258e6bdb258a841248

SHA256
7e39b4546b9ab2eeacb46e1124a3a8d51a69b29b099010b7f4690eca953fb76b

SHA512
5bc2cb64c19c314661eda9916b250052dc55f8afc7c2f232a35dfb9b3e27ad2e13696d48b4738f0e808ea4df84e97b7792192ca6262fd853d8cc6a0e3a167cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
666a8f943bb472c86ff15181fc68a13b

SHA1
d7adb20f1393e3ae96b25143649bbe109fbf6d3d

SHA256
ae978c825277e259426e225197d0d009430e3d64637e170ba0846fe3f8815d6e

SHA512
cfaf2986b2a1f7256be9690a8a3a9c2465743cfcf8a65ec0b24741591431b2ca6f409e67bbaea6c5b3adaf46b1a6a7d2565b7f6e671b06239393e26f01b40425

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fd427f1d0208da4ca2c063588e183a03

SHA1
c37c0d236906610b00640ba0f4aec5f20dcebb2a

SHA256
235160edd3c28131c149728b69e9a9ffb521edc4bbc8e97706fbb95df089eebf

SHA512
3a3f468066e3faf77c7f2d6bf37b4f0df78d73a076880bc61f2d0bb5aaf5789c167e0ef72ccf360ab1548cdece940903d5bf467c6efdfde6ef0d4b89406cc8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fb58762312956c812a78ccb8e3055833

SHA1
61fdd5b225a7f56e6f15ade0fc5fc7039d901802

SHA256
3c64298b33811cec7ee23f11d19d436282756b9a0fea853d8d15bc11198cacc7

SHA512
a380322c2733c7acef5cc23505b1b1c60a0b3bf54538a002eb45393600b919e61f0cb3f2d18291883e1bf37d106c0c54cae3704f35919a282081bdea41c4a608

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2faa9ef8a1ca9619fe4f1fa2fc3ef6b

SHA1
0d9c6b57b5833652c056c0ba575f129223b07002

SHA256
743950e57b6bd027c7253a833fd1d4595d07f8e7286185c3499a1cd3216f7719

SHA512
ac2b710b4e036613a6ce28df17b42e19a9d7d3482c2f202b67970edc620e9b3db3ecab5053318acf91a21bd99bdae9b3cbeba9beb8914ed643c3ac08e1c0160d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4d2bd7b55e1ad59d7f130dcfb8e5b7a

SHA1
c0fd4a13fe233f20d458cad82fc9740c0abc148a

SHA256
6adbcd7a6776317fbc106718e55e11e32a811aa37a5160df901a0952eb76b141

SHA512
08ab7435be345e807572840566743bd3fa159bcc4a992449618ad2409459d6749ac947d8ca1e33d09ac92dee7d2ba0f08ab31f9bd0108af056320860f2b7616b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
776ef7dc8051cfe87fb0f34831a098e9

SHA1
9c31fa8dd5e9a05feae2c8f9b24aa385aea538d2

SHA256
21adb1f4d4da80324cbf3c996e5a6d9be9b285c90d8ca37c171d6873caf7775c

SHA512
7be49408bb41de3a8c6877662cc3ebb600d379e7d81ecf21fa311df10c400443004d691f1e49279a61b76d34a1feb88531115501a69a0d96b9a11511828bd440

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3c7d743abfbeef9511d068ac878179d2

SHA1
c75bcbcbac778e23efb4371c7aacf4212cd22288

SHA256
a9f97e2337b0f27d3b032c54a8acd78eaf3b93d49ce4e52b8b5b2d0a7d2b697c

SHA512
ec56bd77f165cbb3b2fa577de0f3fba659b220f6975579b5e843dd6715969e251fe15a36b9550081e690df19afdbb168796ec641562b57cf382bdb134925a7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8f2eaddf560c3d84e19ab67f4ab87bb9

SHA1
9a7584cb90e10c0c6f3e6ca821c2a4368e34d054

SHA256
c482668c5ec34f3f0cc304d5ef12faa76e93e91c85e3ef005dd1c1daa9524463

SHA512
ee6d4bf7e82dfa3e5922fbc746504c28caaad3ea222b3a9ae3c431e7609aca995da71ae0ec14e010d2c69e97434cd95b95c7f4ec27901feb2eeea1209ad106be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cc7bb4359e52b88d8443f44dc7066c34

SHA1
f10b6e93a671d0da6e93befec120c471faad4265

SHA256
1a63a867c0e663d9964fa829fc9bbe844bb2c6596f53c809727b79cd94520f30

SHA512
887de8dcf57b81122520f74c21e301cb42b8e85a1e5686d63c879cdbc599c1d7ff994e8d105911f0ffd870b287ee3a4c24cc76d344b8baca9c2604f0696bcd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0e510da9cba3786ad656f0d7c5377eaa

SHA1
52b685c6d01650bd7739198f3d0433d55dd0ef0e

SHA256
5e2e86d7b0506ad6a6dff15702f0c1356e184941cdd818056f4f7e80716d1801

SHA512
f779f1bea97112ac50276f7ad8b884c097aa123d05261d0c943eb0dc34377414739049ff7b526705695ac2e02e918683ea1631b2d9835c5555bf3a528d5c9eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8aca72c87ebb3040a2b2a78057a29b4d

SHA1
79e44daf58b2172d692f739a0fa9982cc95061fe

SHA256
4ad79780ef6895f82ef190ef201ffe85a891cb155d2b44c5a85c3bc30c3b716b

SHA512
e04c3f39b60a907c70365d8b3db1e634e4559cb67f6e9baec070b475d625fd854bb2f6ca1d989a7a6931acf0c9bd2077a4309bcb73459161d456d1d87e4d5f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8d2f9185bdb0497be94de8d06c536b75

SHA1
c276c96573308c15c0c273823aafc0d1997b49ef

SHA256
4e77f249a82fe79b53f069ef2825e027e2c25f702ec086088376f76a1101cc9d

SHA512
2827620080966bbd46af71bfb7b5008a924cbe9002991fffb5ba0a0fdabc1a122cee4c5c422721e41487a8635496c6fcdfc92d78979d70a705c4bf5c529e3428

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7cf8b3970ae541e31ee380fea84e948b

SHA1
07cbb5932399d145fe505cc7318cfbb2a03b1aca

SHA256
fc7df386376ffa9ac50df24b217064ad9c4a97fc39e1de6c6b6b85e05f4cb655

SHA512
9eccdf8574c28c93ba65892732abe7629dd58f3a555d196d027b030a89df9a4b22e79bd06bdab7bab4a7a1987cdfef54fcf5d7f444ae0dc6a4f66045d00b0dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5f177203698d53c2f64612c192ed73e5

SHA1
d9c98002e3d3ffd3ad0de2799ff73b11d31d3ccc

SHA256
9a6dc1950b11f653066707e89b1f3dc9f52b1a1fea890db798ada4e1261e807d

SHA512
b91cbb54f7c9bc4c0733d55656066f801a59a535b790496c0cab0f5ca82553f3255427cc52f0d733eab00daa5dcbb7c89c0010934fbed24b1b0f37800db44d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
263df8ab102cf0d629095ed8b60a54bc

SHA1
5bc61b8c09b0eaab9036a43a395eb031278b24fc

SHA256
b5bd7905bb4e4d7264b0d426fa2b4630a612ebab6acdf951bb875b61c0510d1d

SHA512
5ba1bc7ceeb1ab09a0a55f39f2c8d2a99451c5a629aa5898c035d273b4794625c8c9aea67c120ca53a79bfe8463d4ffbc763aa941cc11e717d0b84cb3da0faea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d48f1feecf649b65465702ba8e7d2091

SHA1
2b5cd67e422e692de992545e560b59a4cc23773d

SHA256
3208550d639aff88309e79945dc17f32cc26b335f222214cafbcf1aa49bf132f

SHA512
6f6f436c3e8405b33dd311e0382ac4d7c2bb42cd782caea62d10b022918bde480feb6b2a280044e4d2220a05f00720f113c8f763940f2c368f01a9c3dc7dd9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
01531392ac4fbe3a131baf83c3e6e159

SHA1
a9e48400ac8731953d2381ad6dd7bd95aa012d18

SHA256
970db1f97865ecd2cd7627ac11bb14e86805d91a03c86ae2352d8dc49afdfe76

SHA512
97adb925b59430a6eef346d69d18f78506342336dbc3f2ffcd463bcf9054b3cd83fcd61c15ac0d9124f7ab79460b0ec10c0bc777ac9cafcd29e3d4869c3cbfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d599e47c9b52fa755cc3fce92281b607

SHA1
e890ba2494db835cce6dc530325ef07051d52411

SHA256
96191c2b9735a391799cf05f71ba399917ae151e924bf83c2f9c87a077ad8a73

SHA512
a24146e0a93144089a994a3880346aed016e31bc2c6dce3d605d34534f208c9abd61eb6e182b1be1a88235581868b12009fcdd972e4dd9b6ab407a53432074b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cba739817d769c6fac20f3f2736ae270

SHA1
31042eb99381f6922303831b08dc6bce85656988

SHA256
b6b8dd224423cf61c258b79d309a433dc5cfa46e3b1373da16ed4d6779d3a39d

SHA512
fec29c01f3b53b8d1148a89b0be34d3561c077d82adf5b79961d43910ccef7894be741a9bc01198f46041c6d1492199ecbd78257ebe5d15e66aa76418d11161a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3971591c0fe72752331a497154e147b9

SHA1
1d861e944aa27f70ae8ac101416ee87752457b77

SHA256
50ca508e9e14960d996a096a1a951cb7e88bd7834f72f1c23b60b1508008b864

SHA512
2c0e744c3e33ea4cdd3efec005e72f2cf27930f077de04720ee88febfd2f9877214299f08185d9c2498e70a95aecd3f68abacce78b97d6d4e14750cc3cf30fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ed0d394060daf992190c3c7dd5f4ad28

SHA1
aa1dd54821c46f0e43aa65531e3218d02e1d7d3f

SHA256
dbc578640570d5349f2f34d3ad8b30bbbc21878381893083fb5cc9f14e0128ca

SHA512
170f4a9e700f6fce3ecd15a7da844ad69525d0bf43e2f30c862bd396564d0d6c3c7b59d08457bd0de2a7954cecdccbb267124f18c3bf2a12603fe9d2864ae230

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
95b104f114fc74e12305783f6fda3ff8

SHA1
b1ed70736080bb6ac8b9d9e30cf7d2f2a5fe6dd9

SHA256
e4daa9ad316602deeb404b6304969d807c9f458982ad45d91b8ba6cce3cd4b7b

SHA512
131829aafc0fee6ef8b513abd6c40f200637168c4ba42002392cc7296f7f3ab31558dc8d3286bbfff779b1638e573b44e4f7a9c2cc1c52a45faf3594f6a9eb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
46babc0503f56d2a12facb523b86e705

SHA1
027300533cfa868ba3eb3dfbc1eb9c3259562996

SHA256
3d079160b5316de7a956698530508676fb50691f50d91c6fdf0b94da2bd2f2be

SHA512
ae955b10c46742275dffa8a23c49382455d0aacfd217a46d3436c8316da44904142f71979e291bff98dcf5602dd820528dc54952a0ff79f10240c496f5d557f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ef5c0f4f22369a39d319e3e83bc6354f

SHA1
3054331b29206642e24ff4f9433fc9fa4ea8f1f6

SHA256
478e5a13bd8d3b335ccc3b1eb54d2f6c8b930f7f1a10c2348b3b287f7591f620

SHA512
80ea7f8fe0d4c47ce770f3e7b3e432b521e23eb3919dd575aea55f4565b969a15b9b1c3c59a6d268b354cbb0c59484941546b4a4cddab9d40de03462846c678e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d6dffc5d694c7960366577ae35b9c27f

SHA1
de5b83d52a02477d98ce78792bf103766e228b0e

SHA256
6c20696ab9c9fc3acf082f509ad8c4e7bf49e72c44f15c58ede1918b591b1132

SHA512
5d8fad81debdb1c6f9142be0bfba813f389614c0df03ab813bb752b78a6d1504a803562ab4e13bf25cf05c8469d1e24010713ac863f4666240134b97160744a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d148083151f9e767c8715e3a12eeb5d1

SHA1
ccc9a33761bc737b257411cff3b22affc887ce11

SHA256
b17a75d58d73c2f3e47ccdf64081ceb8111603ff0fc1c589a2df71b64ac2b236

SHA512
c239bf8d21df2dcfd6d4ac14065ac26d985038a030019e4780b7d7686e259b1644237298160302890f3231614534958240f7801f1035fc7ca8d841cd62cf4e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb0142d63f63e9939afe497fd19fef90

SHA1
2aa79302f2eb8c1bc9a173b0aa6af7b4796723bf

SHA256
12c68b77cd70167e43db9b050bfff235db1ee9266ffaf0c330bbdd1126a85f23

SHA512
ae8cb53517027c03f7f8c46fb5780e618b933efd1583d048abd09d260f417850c3f05d5130232bbe8fb0d77fb9aea0a0d870977fdfc1fcb47ab9a076d846088e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c79cdc84970bddc8049b537da992bb04

SHA1
f457cbd20e8268a3a5b639aa9209fe7a1a820069

SHA256
404817f26af6923435e34e4e2ad011c7e026c89f6a6339369f6167b8880a814b

SHA512
e7a3f8ad84158f022531528afc3f5012a8ec0d64bf54b0c3d181f016cc335ece4f5d3c3f2192c4d1745cf08c7561854d3ebe60c1b11614bad51da96ec2146389

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
edf0abbaf0b576bb65e8fae16610af49

SHA1
a47fecd1b0a6f207fd933cff7cbf2f0fa999a7b6

SHA256
0094c13d29d3389c1f57b1ddf922ba53372651dbc1713567e34e1da0e9904227

SHA512
6e4e30dda3e387709a6ce96f6f16537e76272cdf4ea2dec66db94a58a3148a8853d17fc6c9dee77dcb9f504d2b5e135787aa9c12a76dcde107baa550ab8db06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
946d1a5f8fba156bbbd5dcc770f26e6e

SHA1
700f2bc8829d5e3313561243251d85e195eafbc1

SHA256
5cc1ca5e1a4ae654f9b691112a4f9ea2a1a7050fc09d8bbda3375a96054003f3

SHA512
4b88c9e602fd017004a94823581954ea899af351271dcfd79349f7d0f457ef171cc3b542002154636180d0c52c52d120542e213bba20093f2df2473a08059884

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce3d65a02e2e05fc85fe8d6a2dd363ae

SHA1
279dbea50041bb24f9530d4c2e3b6604632518a5

SHA256
004fd18426b8b5dd594ae7723826a576fbf1da53a1c40d178570678905109eaf

SHA512
7074c44ff6169e43e91565f1bbc02eb98aeed91678ea6a01e3f92f3cf39fac8c9df961fde2ff88aeee377c76d43f70f01ea62d7cf71138fcb6da15944b0d621b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
734e72746e591c258e74f5c7e4ad0dda

SHA1
713dbd0c00e7aec61fb87f7eae9ae8b5f7fc056c

SHA256
daafbda713c2066de1b0196d6c22985a49e22a7b195c263f26b24718b59ae13e

SHA512
bf83a55845743f6968cda416144723012a69c1bd3282a09ace8a2fd9356443c24f844f48bf2fd828a84a88480895e3febd24d46084e68d8b7aa9cbe06f3ab135

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
31d71dba222ae05036a78e22f7567c1e

SHA1
cd0192668f5bb5d07fca116e68df5ad5d82b4913

SHA256
3bb240ddcb42d000522cc4a1d313e7e63b9f24382668754cfc7c869634aede38

SHA512
7ca272bd765e8329fd020c2d616b6d0d6e227388e17b4f7c20288cd31b1c391673eb5305709bf613a5ca040bd9570a11a02200627ccb332a5ee59a917b6d2e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bc79115eb62c54de8b22045185c3a06c

SHA1
dd117040f8888bf6f1aca096e609dacea3d59f43

SHA256
9827d771242d48e812f4a54eb9ead68427ff750b51428ec75384f518002fd8cd

SHA512
b8800dc3e314c789d53d461d64180ad49a5bc4c46670f22eefe7ee6e23629ea3baec48595f1093ac7a40764e98cb7a42c04b4fd33fc651608cd6152b96545cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
96e4b2d746cf3bead16c84d5de07c612

SHA1
56cbbc433c99d7c9c0fa03aebdd57ad2ba8ebf7a

SHA256
502af61d5b4b3b53a412dbbe34b839f2c89dfd63e9a7485dceb2ef4ea14afa39

SHA512
79c30a282058f568616b0eb2bb919c6e5f41dca8df6bf84ec0c4fef51ef804c456be178b633a02846688a7c0565236083acbd18585317321c3a4db658b15d9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bea3fd76b63b74c890d095f1fe2921aa

SHA1
48b25153b7b9c7da62ca41c083b85611f556a12f

SHA256
d601ea4a0cd58fec36c524a1522641d7c1b146052d0de7767774fb91d410bd7e

SHA512
dd833a5b87fb579df5150bdaf3903a5fd6dbbc3560557ed58d0daff6033a107f24f4d068b232e171e41be156e8b3e9701feaa2d17f8c7ad7fd0ffe4aa4fdba96

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
18ad93e1eddcff3fdc249dfb8aabb68e

SHA1
e0e6a3184602b78ad5c9847379e85d61a39a7ea0

SHA256
ab5d75f8f07d790bffa6582faab691b0ee3ce3e360c2579a51d382fbe082b4b9

SHA512
1e01733a934d848e8f0b3373746b0553b27083e608a2da51f453a09cbce42acd4eed1154e7990a7e4153423ec9ab41bd1bdedac4aa99c33129bea2ad6d986d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6a193edee78315ed3ea79070bc4f87e

SHA1
74415e35928ca784c3aa9c1f581400bf654e5ca1

SHA256
6d5bee4b997511a4191c825e82b9147183d75910900f185199f941bdfb3411cc

SHA512
563e3a5c663c454b6e25d8dc8d081901d17a61810830e36a66a8d9af7033c7b38e6cc9e1d539161724f43822db53926e4f7aceeadafceb1e351aae4016ea8d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
193593212f8e7801a3357fc87863d59f

SHA1
570856e557b24e55d0bc57c59142f91c60b7201c

SHA256
ed12d6c2785053bb32997d749f38ea5d14e5645cf24d20aafb890994a5d25a13

SHA512
4d4b4597fb058b0a4850fbbac094280d4d78d410e7a92d67976dc1ab4f10f6e00588d68382b8f3381fddfb3acaf48a1851bec7a9c7ca7b6eabd182fd0825072b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
92316552a3ef97590bb9fc0d62d4d009

SHA1
96643785e718bd5dbf17272ff6a099878681c237

SHA256
fc0e439ef290e6d9c2505e7acf2c9dc095f853a658366414ca3879b4aa08fa52

SHA512
77693118bd429c617ef3edd1fafc966cde97104947bb0a0a2f892cf1b19d0fd77c3d2d9816b403417de7805516e63aae1ecdd6e6c01808c2d00c5a0215da6f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a8767303f2c48282aa28c6a52e1db82f

SHA1
dc4f61d9b3ffde0cd6a1454d754ef382bb519886

SHA256
7cf152f930975532cf73ffda01588193e3fa5348f255c5e4d539231dcb08db0a

SHA512
cf76c1912713aed42aafc7192783b27a15f112360f4722ff796b403e1f49f3203f0f6d39020d9f284d36075fc2034add0407f3a3378bf530857afdb5c82243bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
510e88d77a63bc56f2c03c5601825891

SHA1
a46983901fefd3d1e932b27f4efb6f555498487f

SHA256
b68fe7263f97450b2e529aafa6141bf485c25784fc3846437bd7f08aefa909ec

SHA512
88345c1efdb5c86a586e6ed217fdb3260340663c16700cfa414666a87ae072f4c10c59bf30efcb981ef890ecca1f72eb47e10d3fd5cee1a6a0fa70a9c7de8940

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
39ef3255cf258cf4d0dd4dc59d77015c

SHA1
2120c97511e9e90651bf95498b0466b216af958c

SHA256
39ae9c404d590df4b6a51407613244e5deaad1b15e40687189ec5ae5ab0281ec

SHA512
b1b635f64e2d4752e41e3163c4efe9bbcae7e698c290ed52f3e058011860a25b00b94e2f54784d8293b992088006980ebca2d13f9d9927ef91c3cc3003b1ae97

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
504KB

MD5
0d55918c5ba95c84e0bfdd16f1d3577d

SHA1
32687fec574667239dbc93b290319409f9a0931b

SHA256
f34b240073fc89bef5aa4271ba241cb2666f410e34de05cf2cceb3c3a17360a9

SHA512
a75be6533056e2cb8c5692afa3dc2d6129e72118cccba531178a8bc8c1157a856009e254daf6eab98787daf9eeff02009adc38373b37c29ee005f1e5dd65a48e

Download Submit
memory/944-12-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/944-8-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/944-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/944-177-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/944-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/944-27-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/944-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/944-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1296-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1452-239-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3108-247-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3840-272-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3840-179-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4172-74-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4172-152-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4172-14-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4172-13-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4428-236-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4428-268-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download