Malware Analysis Report

2024-09-22 10:11

Sample ID 240418-vhqmfsaa92
Target f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118
SHA256 14eb647028f1b3fc6e7fe645624cca094356b8a3083baf05b49098c3373e0f51
Tags
persistence cybergate öííé stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14eb647028f1b3fc6e7fe645624cca094356b8a3083baf05b49098c3373e0f51

Threat Level: Known bad

The file f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence cybergate öííé stealer trojan upx

Cybergate family

CyberGate, Rebhip

Suspicious use of NtCreateProcessExOtherParentProcess

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-18 16:59

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 16:59

Reported

2024-04-18 17:02

Platform

win7-20240221-en

Max time kernel

140s

Max time network

124s

Command Line

C:\Windows\Explorer.EXE

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2804 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

N/A

Files

memory/1396-3-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/2320-242-0x00000000000A0000-0x00000000000A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 16:59

Reported

2024-04-18 17:02

Platform

win10v2004-20240226-en

Max time kernel

111s

Max time network

155s

Command Line

winlogon.exe

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 1676 created 3988 N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\microsoft\windows.exe

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\microsoft\windows.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\ C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\windows\SysWOW64\microsoft\windows.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4992 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7ff96bf82e98,0x7ff96bf82ea4,0x7ff96bf82eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2272 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2312 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1952 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5452 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5596 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:1

C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f8662b329f66cd3b4a26bc82ffcce7cc_JaffaCakes118.exe"

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 1d057128a925e4b4a00f123e5f807bcf rld1bUlZmEC473LZHlFd8g.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\windows\SysWOW64\microsoft\windows.exe

"C:\windows\system32\microsoft\windows.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3988 -ip 3988

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 560

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2200 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp
US 8.8.8.8:53 hgshiv511.no-ip.org udp

Files

memory/4992-3-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4548-7-0x0000000001060000-0x0000000001061000-memory.dmp

memory/4548-8-0x0000000001120000-0x0000000001121000-memory.dmp

memory/4992-63-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4548-66-0x0000000003C10000-0x0000000003C11000-memory.dmp

memory/4548-67-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4548-68-0x0000000024080000-0x00000000240E2000-memory.dmp

\??\c:\windows\SysWOW64\microsoft\windows.exe

MD5 f8662b329f66cd3b4a26bc82ffcce7cc
SHA1 49c7f3c0522266baeb6c9d6cda8ddc79722f79d5
SHA256 14eb647028f1b3fc6e7fe645624cca094356b8a3083baf05b49098c3373e0f51
SHA512 2f031059e3560c13b5cc235485723d545c609c356bf3ca47546331f432d1a2588b7ec63910427782f8d06d429c1a3224803ca222db6d853bd4c8fd28c1949719

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 5b4be72484969938914154a0a0bac1ed
SHA1 5ff8f8b0a089eef1d270112aed67b281253d56ec
SHA256 7f497839f0acccff6f28b1edfb6888d36f818c7f5f92e15ddead922b7c9bd22d
SHA512 237ab8a6eb65d881b418bd1a1ad6cf765dadd9b1fa1521926b351e5843bd81e1d72c5b439c4994edfcfdae7db3df991d21c877bca89ae3230209c84b0271d5e7

memory/4028-137-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/4548-489-0x0000000031C20000-0x0000000031C2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

MD5 cca153d52d3f32ae6d9bcc0a086e8c7b
SHA1 11dbc1e15599a615cf7a2dd9d3601b2b121c1be8
SHA256 0565eb76f278592312bb2d723d89c028bc7c4cad5875c0cc6c0379350d758cf7
SHA512 4d36d4e023679ec5b2a7bc9c382f018771b23cbd5c99c135e02063a0a1b8ff1823cc39dd4755e65b0bcae3221cd54dc4634fb5618c35486d43731dbe4a93c11e

memory/4548-518-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3988-519-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/3988-521-0x0000000002250000-0x0000000002251000-memory.dmp

memory/3988-539-0x0000000031C70000-0x0000000031C7D000-memory.dmp

memory/4028-551-0x00000000240F0000-0x0000000024152000-memory.dmp

memory/4548-576-0x0000000031C20000-0x0000000031C2D000-memory.dmp

memory/1620-593-0x0000000031CC0000-0x0000000031CCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3fe69ddb152116c3831a956e765a3e4f
SHA1 0a3565a92930254ba5d66c0764b7daf8fe99ec2e
SHA256 671fd23cf6c4b18dd3fefd4639304e5b8781a357c6f244d176963ff6c4557ad2
SHA512 dbadf5400c0e094cfeb4078beb92ce6acaf7c25e2c6f708ade305e5ae5c2407bb032e0c77597d6bf0ac8e060784a6a741f2672f9068653eaf5690dae13b2f488

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bd1c47b87dd0873617822e82fa07f97c
SHA1 1b7da61f83dad9cc839f7136191cb7da68c30947
SHA256 279c5adbd1e2f8b8e94faf36ba9f8147dfdbda213e50ea86685ba51c969699c8
SHA512 3bf1e221fff95936d9a872d8cae5b8ccc7ce05657e95f60529993b93df1e265a78b91745b0c4d1ead805533e9de39bc6b92c841730b97ccce582984a3c5b403a

memory/1620-701-0x0000000031CC0000-0x0000000031CCD000-memory.dmp

memory/3988-714-0x0000000031C70000-0x0000000031C7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8a0f85b5ea7905416363fd555e929eab
SHA1 bd8f9825f3c8ba239b31b182f5a7b0b17f699402
SHA256 d5e81227dcb60801dffce75ee4850bf7581072d955f6fd355b0c230a7f5678a1
SHA512 485b7054325e1d1f4a834663c0254a5f82270057a6f217062fd774521a469bc11c1ee6296d3c9adcead956a50abc4c94c3b301ce1a02d6934e33fcfdbd628fdf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ae2fb86af907f0be12ea8e3458e57724
SHA1 aa1a5dbcfd913d7b4b1a084faa08cd80a4948be5
SHA256 ce461adce4ed73d628ba0d97841fe39d907ed5ed1c4fe10bd69ae4c04b174e63
SHA512 910cc3d2cce1f151a8ae7a702294f08656991a557379fa210827849038ae92a3f30826d75e304a2666a1aeca4f9e229b690d1c166ad77397abe9ec0b88a8153a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fc17826de5d3d0a92bb166bed540af68
SHA1 e5d5106abbd3dec1612082dbd9cdc10bcd62e9d2
SHA256 0ff3417aa9bbd9190acd7d73a84ea74006bafc594145d86deefbbee3747ba5d1
SHA512 de815deeeb34c477344065380d8da585c1feff849f5d148f7050dbbbd1b7246b91f3c1621fb2f3e1470a7db83a167f21ea808859d4810251a58dafc12eddaa86

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 55bad41c2b6d96531d753a5561d9ed28
SHA1 949eb9a6103b7f4e7b0c0c2fd3df7c45ca240fa0
SHA256 ccb96f5aa63b0f3023d7638bdebc6fad78f0d740918083552d61a5d401839cbe
SHA512 bb0352cbb2e4903461c5f6665dfd472e52dbb4032c441030c555b5d6f8cf747b98706eafafb43949d941acd7a6f948d211d92cc561f91b176a1b5d00c3e3bb71

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2cb15e9f88452e371ce9f4be9a4ca60f
SHA1 2eb5c92dc487dd624fc08ab56a1ee9c1bcbd89aa
SHA256 f7713e24a7d441beb053f389ee31a45ac07964ca6ea922449afc4244f2b4b2aa
SHA512 a19181841fca868b26b72caa43b60c9018ed3ee7199010b6b440077a7742e88e2118766063a8bff972ab87ab740f863f190820a616a64b2d33076a83fafd4960

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4a25e848d6a29cb569334db605ceb0b5
SHA1 dcedbbae51bfa5319c8b7026e4a5267307ec2a5f
SHA256 6b3223a6c67c2cb293b571538d6dc3558590f29b9f2fb97eb8b8af335586fe4b
SHA512 8d79c7b9523ce2089752679dbb0c3d2d2c646af0b5c7ca383fe4a9497aefda8a9b89fca36e6a8ebd755dab62c4739cb7be9e7d2f7d5edd8b63fd82daab9369ab

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 be5414917301ab3a29343c3e93490fd4
SHA1 7f3d114cd3b8bad9b4f9dca2be1cb675d6660534
SHA256 a77e903e7f4c4c890f89c5944ad1f14e5bf7847f711c37ec9f8cf6d8301a293a
SHA512 092f2f61913b7c73fe349ac99fecdcabdc4e4cda30d8c9bd19e5e067cf6fc4621b8fb78b39c495a9c56999b4b0768911999b8d2f56aaaa90bb5651d52b654c1b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 855b4b1a6ff94a1359ac6589894ae09c
SHA1 f04d9254393618c22bce996db060b40218039342
SHA256 599cdcb46750047bf13d256f45b199c94b73cd5dc9a42e3f1ca1d5c414c53baf
SHA512 deb49bf944b4e047496bf83c811703ab631cd42fac6e225886c0c161b4133ae6fe855c8e7ff9b55549facf524ea19b1cc825636102d48733472bb28d639c188d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 36f22b626a8c7ae160e2889055e279ca
SHA1 f4be019f5a9f775dc7938732196850a8d3cd6e25
SHA256 01aa8dd80908284a8adc1327bc9668a8b95c142e9be19cf3d5ee8220abd217b1
SHA512 7a9c618c7624efd84d43db390c2bd01ddbf092b9b123fadcf875682344cce1bcee39e41b3ef51a9e6a212b81df276d4f1e83219af322946d17572c27636169a2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8f12c735295a8309e9412ba449865c32
SHA1 40e9a72f6f86788406553a17339fad479edf8131
SHA256 56830024c9ebc8422af978f6766b32a22c437fa8b632485b86150083d6d2e828
SHA512 dd9c42c5345ad4403b7f095822286e2b086b9d428f4e8936e4e7ba3b5f5a6e9b2420e88bdd47dd59fffc0a0bd990f9cb56fe2102b5a40a85a335bbd2dc1ffa01

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 98914cc9ed6494310087acbd3863a57a
SHA1 3763204820276175aa2b96ea2f66c8900a1f3d6a
SHA256 913fc15de510380f76e7bb1770e98683a85844a60a716f36da80f9d15af9e0b8
SHA512 0404c76c5a6a942ac46c79cb207018f85eb04f9264941baeb18cd16d08aa942c2f4ad43c4690463de1f3add11b908b196eaf4b12b7c3b57b6d1ba171a3d874c3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8289a103844f6202c2032d57885be53b
SHA1 3704fadc7c63fbfd183ecac446110e86db85ff82
SHA256 a7ed1d3b2dd63625252e4c76c891e1eaa676b3c055b9633ef7f1c10901f20ffd
SHA512 0920308b477a89ea97838c77307144b375b09f848f18ff43a0e634c89c30de2bd0a9cc0d14dec3b9f67368fcaddc5fdced6292196546a3dca444256991b42cec

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dc36228a386d53467975377d25c44450
SHA1 a2e82c0f30c72b6e9fbba55f63f1691f5d253d50
SHA256 82755c2e7e0db13e1720ca6bbfea6206db8eabf45c9f16fdb7b0655c3e625697
SHA512 745602b2e5a72ab3f1cf193b6969e0fee138b770353b1271c151978f616f65946cf528db1ea461bec63a4f60c56006391745a0017209a61b5613a66e76bd41a3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 22cf7f52264d9757dd50a844934ba8ec
SHA1 c96a411b9f5843756cf4148c222c743312e81bf6
SHA256 968b40c550220735a62f80e8df8da7a617602afeda8dd1e5cc99d314fbafd4df
SHA512 9fdab9056a18b722d6e62bb854731341c019aaffd4ec59de33f23172652c397a4ebfc8fc50756d7691b8f8ec2782d581484d0507c293332f13540dc49ce13db8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 96f3519e246a2be331856c915b7d181c
SHA1 af41bdf6a727ee1e9077038648eefed689b08cb3
SHA256 38bc3f295cdf6d325da33bc08d8344cd18d1efa0297df5c20fa57323e08cda56
SHA512 661bd4e8481f8c9782885f68f37767aa7b3716fffcbe4e5eefdc5c1d7bd87dfe4b564d5df5b5591980f0c82a2e0fbd624deb653f6745ea61b11e326674f4fe06

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fbb92f5f8c348686134052520f1c7e68
SHA1 9bb6dc3af09b2dd83c3659d93a3c9a8bc5b4b6b5
SHA256 ae41d9bb2547ae07422b98c5305ea7a8614a1877f7ca8f0bf71d22b75430dc2f
SHA512 de08d150c42ec7b4398951cb57a9c6da5f3c7a1dca7379a29e9f7cf2e94ab4f589f8981b4a98ec34a30d475a3d0057cfa788567bf841ec5467ff3bab3000d175

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9596b1e326e771fb4d53adfd4bd40b56
SHA1 5c16a6799e2a155505b9ac6b2fd215460b4b95c3
SHA256 2ec88a716de22aca2c2dd5e2d6df8b7a372413761d11a5bcb9ae0c5b98281515
SHA512 c6d1ea9a5c531edd2b4251cdfaf52ccaf7cffac26e3c20c9b09bbc60b974df86c91a3d19054ebef2c216aaafc0109cf5a9e5d630d699aabcd276414cdce641d4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a8d021390ac95d86f584c1a1836ad22c
SHA1 026e5325954334338a55849b271cfcfbd81e1a47
SHA256 c746b92016c2262ef258c767f6a61e6e0a677c7d51ea0f7ef4a332e417175caf
SHA512 8ef3028e06b092f41006916458f83c6f98a76b95a7273ec3f34c2abe475300aa3f8269737a3f39d120320ec1417d231c25faa9174daa6d2427b5ecf8ba4b4e66

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 856eb76c31daa91d10a5ca33b9503bfd
SHA1 36bcb4732cd0fc75695954b2870db933ed884e20
SHA256 11daa8e937a56c94986efbdd27066458a594c6147dcf23c0f1db6bfab9411a39
SHA512 c3299e528f9c8a2b9231c550734bed99789f98a2347b9c78d329b3151a0805d3d3d524308fd770c20d358a4564f0d73aa510af898adb3997829471170797fb82

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 72b3fc91aef68d954203eefb3a8fb54b
SHA1 6abebccfdcceaa1b386ac5ecad5c00955cdda130
SHA256 ab055fe921d6edc7d29954e9360b0a30e4e8ef96e845e80f34191f299d69e70f
SHA512 99e45c269502743d4506ed02b73f1e9095fcaf3ed22f7ee40b5297c0b0e4fd1053e010de3d8556272cff8a5384031b2df164546489a4a623d338261998809d4c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7fb52e7889f95832745d4b0a911ebab2
SHA1 c5c6f44b8dc4a446e5ea2c680171118f0b966916
SHA256 5966d5739fdf94f03561abe22af49c608236e6b17f08a5c62443943a7cbc5181
SHA512 db5580f5e80c998adaef1f5e86eca77928d56e1445cdedf3841cc01a406f6f21a90e7f4257e5ec5719fbbae3c769a2e59dae4642c9e3d34ea50c6485717a6f66

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 df266f890d0d34821a032f46473a091f
SHA1 763eb12641dc23c27648f6984a3521f71a677a20
SHA256 47887126462d17ae3eb544d8eb83b03db3e2d5bc9d80c5bcf4f0884228e237f0
SHA512 8b91207ff98726c2d978595f7acd80fa5490a742100ca73a2dca8eac67164d96678b08c3ecfa2503debaa34cdc5367e3f410508db958c2fd4539a66d3e2364a2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d8b13cf0b11901387f6aea43821fae62
SHA1 f05b6208aa7e2d44f4ad2c72610601aa40fcd267
SHA256 5be37c37404a3e6fabc7deef86e9dda540807993bd9e516a3a06bc15acad080c
SHA512 2d5165cdd2bb373038e7dcb8859e17eebccc3e448f0194642a310a3fd9cc39d301dd31817d901a85a174495b7b85c1428ff2d1a3dcbc23488bf73481dc86e3c1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0d42820008332b0619d7b4b7d71dccc3
SHA1 5bf5783eb3e21241a5014a3c511032cc7064d84e
SHA256 61ef8058c00617c55dbcd66cce840a0222c5ebb2db143c525f09fd3b7636714e
SHA512 7bf54230e72e5370ec11bf6817b72b89148f55d9d03ef33e0279bf67d5535f9f8a52948c3663560dd572b06f8ae5768daae07e9200954ecebca96e02bfebaea9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1f26c9b605ed7a63aea015e8d4258691
SHA1 5c602598c26cf645f3eb578536987119fba452aa
SHA256 018af9d5604d8868bddcefae1e34ee699a96097f23523a1f23b69143a813d119
SHA512 2ae3faacd6ddfd493392240d9e9ef3f58c0b0951f09425099085bfafa5bedf34dc50e67f3198058b659f2025ee469697c048bae94e230823c9c8cd16dee6e3c4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 58bfca21c3859ab2f25c4064ef29cdec
SHA1 3ab3644e8fc29d5e4e0cc51c8fec6c0e68cd2f8d
SHA256 0467a2535286183235841ba721c6baf18dcf23720f27c99580fc32c3de906385
SHA512 18126e8f76077b3b8de8e3926dd1a98ae757e47cdb1d541eec3884212717368a72c210d7a5f7a71d00343b094573a233816c49b404145f8704decf20329a430a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c9f7aba44e0184a76ed19aa8920acae4
SHA1 1ad004e6463b0aed5d0d97aafae7099bc5804986
SHA256 363e79353a4e24a79b87762c55dacf009e6be23e956a6df2aa6a3992d8f8c28e
SHA512 cec667eaffb7f4d0eb49b7494f43605d05583af48d4bb4ebb76816b40dce8c6c3f83dd10e89239fed54304531d7b9586b6dc49b7811368956c10971ce55a111d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f93acb03242b8d1ddbf5efeeab69dbaa
SHA1 f182e276eed0e065450b5ad81e779d0264036f36
SHA256 528b659b232de49e90b0b5defbe03e48aa19c355b62978cce087beaae2dbf717
SHA512 01c443532b08d418db1bb905bb274a3bc8de09ff3314b49ccd7d3ca5debc6a23d92bd812a14e6eddc2eda1912515af2eadf3c0288858ae792d661d0869608b39

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f07f43e74b75b35894d0e64380639c75
SHA1 be3c3d0b938e06086cdd56a7dda2fa0412adc82d
SHA256 9ad33a77e6f26174d7177cefdeb03dfc02b0730181d0fc3535c70299c99a689a
SHA512 cabdb1efc12271aefe4518e45708b4e6fab8bc559a9fa2dae1f5b19a31fdb0721062fd178b3f5d3dbfb2b67b2e99c5335da65949ccde88c472c1f6de6c27a8eb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 713c2ecb5d40d8dca6c462ff49e25588
SHA1 47bc5cf0692525604f7ffde9cba39de8a9c7d020
SHA256 8b7f6ac374316101e70e0b1e1b2c98b603d98f0fcc80ad11fce579fd3f0eae95
SHA512 7d9ca55130d1404c7fac301943f49e255d53d593e283baa0cc0d0ce62ecca80b39065e506854af3a1b63e88a5c072b26a67e07ad2fe96e526c67f27d1d58910d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cf9eac5015e5380f1e52d16bbf5cdd9a
SHA1 355db374305d8ad28f20de9e79dd1bcd96e7f8ae
SHA256 e1131c3bb2e9d3293c55ec7cf72fdb6c1cf02c445414eea2c8b97b76aea0f842
SHA512 179a9268ce432884f6b128104d93fdf784c9f7194b25305083c6b872f4dd4928143d7a5be7b16efcb4641e7527090ae3038d11e2736e0ceaf03df73d834896e2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5865cde3b67f630c7ff98173af5b6699
SHA1 59446c14064ab857262f6d759f5f6d36e28924d3
SHA256 b30f7b178b3e6cb3226749f0c44644a88041d0baaed6577795124e845d5b8b3b
SHA512 48317fdfd823a816890bb558b8350fb0f480db4fa8a9f385157d8736cb3be7133f850f943ffb625bf4d5c258026a8a46894a8e711d46ca413fa85d7aa6bde63e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ea53d3988f76a1e84557fb7c6490a288
SHA1 865356d3f6f177520342f3ac6ff5717912c21706
SHA256 7fc44aee13dfc6313b17e7c8da5d6973d6e064cc4a4acab0211ad5c807da2b6c
SHA512 f32f8ba11570d79cfa318eb5fc6cf0b4134cf6081305bdb24dbbdab5cef0ef30ee464c148c27df0c3b1dd862fc24317396908c01ca6c9ba3ea4324a8dc61dd49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 567d08ddb1f824a3a4634ef58d337bac
SHA1 c1e4ef78b2b4a2862b888e8d7fb6b49b0aa47b81
SHA256 d3a924138aba75fc5ae1cfef587f3a8114f099fc011a52aae10b8ca4165e2c17
SHA512 e49bee281216b2a38f7d946a3775054b19bd4b893d2f8966bc2a84fb09dccb9859c0540b2014c39f508ed3a0ba36f4ceaabadcb06f8d5912422565dbef7e52ec

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 252dfc7c634288fc1821bc500765a4fc
SHA1 a725ed73e3647a792a595a65dec401e5323b244b
SHA256 ea94e1e854675c33e6ef55bded5bd2d4d9d66e07ffb6adc4e8c72ae4d4a5f1b4
SHA512 7e369d8176fc8a3c499bc66d80cf97ef0455f481c4549b13f4e5ef2195f53b664e3ebd098edd096ff482c9938c9559f46c2d38c5293269d289bb9b29e298a631

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0541cbd6c19d12a9c1b6da96e3264560
SHA1 d35c86010420301c7f78901b51714cae84e26e57
SHA256 564c7cf8bb06f4bb311e75a479e192bcbd71a8707548b7add6098b9c1d0be3f6
SHA512 9ed06cc9cc6d90322a2c5419a7a99146fd9f71119302ce76634dbaa2e187a4570ac6e59960dbc2b697db1610e71a4b210af67dc33852b89bf644b05f402a1392

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 832eff21040c06e7d34b9ba4b25aa78e
SHA1 b7ad767c5f6a75a60896c9803502a0424ae142c5
SHA256 d7243b68f58bf852d296b7c2d770acad4c26671c59a1f9e7be86e01a536fd3ed
SHA512 2aaf57a7fce1f0514e25afa9602e735e3243402650e3c9dbe33566f07ed28f6f82b075652edfc25569371a9803123d82a6e1c34299d2d369f419033cf1cdc1bc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 49be695384f09377235cafc4025b8b3d
SHA1 d00c70ee1967e9155a2ed435344d71032cdb1163
SHA256 162983fb3ec1700f4160f5d5cf90ec2c9175ae014d665ec1bbddd1e9742b77b4
SHA512 db6fac8d93d43c3082804d0f055352a2169afdf52bee4fdaf35999925f89eea28e0b82df7cf8f00ebf6946800c9f197fbdc64c9cc98061ca26971f152e227625

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4e6f484ed4a250533074e21a20e41731
SHA1 f74635f49adaa8cf09176fa9fdaa91f8618fbd9b
SHA256 2494a913132f03ad17659860cf1de273c875c4173108fbc975d61d7f6876eb4f
SHA512 b2339de938e6ac708168979f05ebb7d6247c74173336c3c79df812746f8e8c1b784dfe16bc32f1fdf37e8488cc63f594775d14db0cb2577de1a86986ce8d9941

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f394904b545baf215ab74dc996e28ce4
SHA1 78051b0236d2d67ab7acf7b3545983291a0b5187
SHA256 b7f727cb48aa6bcd36af245bb62b22da698c6f0782c696facf64bdd7b18bb0e8
SHA512 500084e5f53c1450a07820849db65b96fd7cec0a0810642a594c23158933a4819879831503c0ee3d53d366e9b89cf570020862ad16e5b7af87a114391069a7f1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d1a482e38e151d87562bf5f37b6ea42b
SHA1 9425d6d87ff9911d13e5cc976f002bbed50435c4
SHA256 55c78d6ad8f7618f765469ae8a8cd491e15c0ffda92a8addf920716a09072cce
SHA512 fd414384661c2ba917c8719002204b27cbebbc18c76661368d7956bcc384dbfad54f7d2eeff3729993b2fad6e781fa332f1628c345cd06372f738339ead94025

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2c2df08bf2c1ba346926627954904229
SHA1 aca3954adb6c54d8ac2d913621e47fd1afda4da1
SHA256 fef5cf771bf875c95699bcfc0e5115f4f7a3713a82fcd91fea9e6e9c566cd833
SHA512 85e7155ba246b593b6920f2aeb00304ab6806c385dbff22b48dd5e42d4a403d9456c503e06ae52e60f4392123770f458b51bdc15e80f2e188bc77e0795e3031c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e8d371dabe5a21812a5a8eb7dd129d04
SHA1 556297c2161d3d5770b4466ccdd262995d83ea2f
SHA256 b31aa366e2552b48be9e68413448b8a897e41b087b98b11c45bd17c8985140e4
SHA512 7f6790fe7dd005c51e498721badf9f6ba8293ccce61faafc78ab51704932dad3f9a10851e65ac9b96877d0bf63cf4a59f5368bb05357fbd75de0d19e6f38ca73

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 caf4f0cb71875d360c3a3fbde9f7fdd1
SHA1 46e3ff6b86f357a2b42a0192e55ba560d70de471
SHA256 271e2dafeb19855b76cc2d68983b4b52f282458525edaf4790421ccf3151576a
SHA512 8293e9c8b8da4e1c98aa81768297e549385ab1fdd0b1176d39834d416a41b6c406ab41c007cf8ac5ce1f3b069b0dd7cd7d87b5720e0cb61f12cfcf7b160d777a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e943476c665f3b2285c7528ebcd20421
SHA1 8f3f88305c9ba49bd87e47b736b554c579b78c1f
SHA256 857d6c8f48b16f5f7ec281f12057a55a2a25691ba298b7728298a42423fd708e
SHA512 7f99143e566f03bf1b2a65f4108b82f5a257ea1344ba3041c0ae1f92280355716ede36dbcfddde76da28846dbb529256e774aec040929bc2ae533e134dc28f60

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5b692845c8aae1ae2a0ffa15d5858f1a
SHA1 cf725983ceee489429cfeee0fffd2e2d7e4aba3a
SHA256 58caf5b9fbbe4ac4b4c86de17f801422d041ce2ceef4a2bff130645877493e8f
SHA512 d07a7c85bfd4da83fdc6cc4e7f28e35717ac64391968ce42c5eda8dd88bb626680a15956c4c103f3fc031181aa6fe81236a4211c51c5e38bb5018b914de39904

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2d5c34cf773677f0bf72c238a58e2e21
SHA1 1fc597df68ff72ccf9fc32ae6820cf615171221a
SHA256 f15f88b94f56e7e88e0d1e673d9196c6fea043af6963c1ff2c56cecc818ba61a
SHA512 648415179320d5efb06031b91c0edc0e41098161cf181478d6430fb447052791d9366667dc46cb8189e65131d5492f3074a7cdf3c41c76d0584e297a1e1f91f1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9ff54f68bd4e614929a3646d96950639
SHA1 a26aba23bc4a1abe411b7a6b0775d51893ba1860
SHA256 4ac3d474d1ce3f8bddcc10deb46c4fdbe53d9a1551aa5239a5efda074d55d030
SHA512 4e761b9383ed9ffdb06716b7d951b82d1c02d774383b1cf10b9fdee3c973d200df3f8a90aab06bda8f69052c0d7e89caff6e7a013301a7cfb21e68d9e5b96e1b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ebae85bd56faca3fd07a133aab5b8411
SHA1 3f141c6778fb8606d7b68a7aeee7044a508f564e
SHA256 151f74485abf09bbb3618dcd8d681aa7e755f4d3af7c34d9d4f01548a029cf7f
SHA512 911795adc423315ef5a4891e2b215f55955e56c21039909fe6acb608ad2af4506a070bef40f3dba600cc2e86e727707135b3f43760ac257f1654447187e1cf92

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 29c2355622de884d3da0765c9730917f
SHA1 2dfaab759b6f3d8aa8a00e0a9ddd2707d9ee3c41
SHA256 10589875902e7fcdd7031a0e92f273c7d3fbb10185e94290606c9a0d5b3fa32c
SHA512 6c23469e10d12ad1930ff35ac140fc46877e51ce5a2c75fe5f04e05b307089760346427b0250f2063297f3e28276b867d78467fa94e994d75c928d95d803473f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b89400ca70e9f887078e533d7e6524b1
SHA1 e3e12bbd49a18effb6c1574496541b7f48a3242e
SHA256 9bd1584105b05b0ec62c3f2c143d327df9f5e1d8782239fdab3a206ebd526c82
SHA512 763da59f60a3217284bad4b8e326442c73cf91587ba74f2b2ae9fbb16a3301bbedc7d2af332307a7aa6626ca32e7dcc565db3bde6d594dce6f3bab325da98d85

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c4270a6c375209c94ad4bf31c885c46c
SHA1 ae4f9bacb557b31feffade6031dd5e92f9163d00
SHA256 22126851d4ebd0a62ac5311345a3df4a731b248188d414e02548f8e3a80be3e0
SHA512 88b46e4cfafc0eb17c75e459114b8a5636c0076595519a24287d38470e52d166b107db057d33af73a08c62648f41aa3718d1812a17de73c29a83a17f7e5d34b2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 09f171cd4635fbe71e1028a293302027
SHA1 84798b04f314d66aa48073107086505249ce78d2
SHA256 1082200103db80bd28dc99b6a51781c27e9ffb60dce6af7b357cfe61c024337d
SHA512 36980538bcbeee7e8665c8fbe9fc00e773f7b40c70e9b262acd6853d702f6bffacf273c265b4da5b25c47516b3ccbeb0f9eca91cacae392b7682603b4dea6941

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 440f1b9ebfedc5052076c1804cecbb0e
SHA1 d2899251760baa47c52637b0c60e63bdd175d067
SHA256 a5f4e45ae63bcd6e8b8824594721848f1144a7a2945e7da7d65d0408c74bfe50
SHA512 5af8f0655eab2030e9996486ba453e1c87159ad8f92aeb5ea3839753a3de08e57130692073eee0acc89e09b00f7b7bf2580eaa65f14d3640dd08f70c02fb575a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 38cdda36cc86dbc1db192652d817b6ff
SHA1 890d635461b2bba9f2593831f5e7ec8417b3dab0
SHA256 63bfeb975b3d3236b47139ca6c9fae35191a965607aa06d4260516af65c07990
SHA512 72ab95a4f3942f66c787a2f532eec00a5f4195ccf4760e2edd155f6e09a33c19c8b880d226203841fe1659aed75a2f4e14d6d05617ae89dd5d7244a64bda1c0d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 712ecc22865889ca3ce7cc8d85dbe4f9
SHA1 2de502a0aca69157810672e4ed1588a4f70c4dc3
SHA256 9e114cf8751ea21a8eb50b36b2aab786a04fc7f16e600d621c79297dd2cf2c0e
SHA512 97d1529b3e91e7a736fd09d63c628822f4ad269504cfd0e05c34bed50511016f87c02f7ee7369ad9f6060a66bd59eb9f9986d4f4ae89bc62f9120f9ddb1dd8d9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 95662257173fd256dd4b36c73d15533a
SHA1 07e918b205ac16ed76a08989e9efdc4e26abcc8d
SHA256 2b92fa4e0f962f8fccc6244d8e42e227c17d76c42cf435e219b08e7d3924e409
SHA512 82072a1e8ceb2d0e83473941f63254aeeaa24f8fdf507e180f2621a53eb6dadf5333bb478ca1420f7806cc215adff1a3429d4bda599526e25f2b60026d6c38f3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 986fd56ab49b81b95ee281714f193dd7
SHA1 4f1780056df3add4ef501149b042fa1118a67d1b
SHA256 d9dc2b69efa14c7f8ddc3680934f9ead56845c3d5586a3647baa3ee94095310c
SHA512 00d961ddb594275ed3051d099ec1ec21d6562e2c7c09aa437a38915fadc44ee37580020053c39294702b8d538e2fc94ccb6ace75061b8c8320db86c0f9fdbadd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5d54a323ebac47a020a6931d2a9c40a3
SHA1 850ead515b971b2f278d4fdde13cef5d48f8a4ac
SHA256 6f8ae4d2ed9448452312f015fff826a1ec93bdcef8024457a80a06df7e5ea510
SHA512 c172d1555a2f9361fd4e58cbaf14de3c31d56209649ba589ce92540d6aa367cf61f53b02875fe327801f2b8c1b2557b4f3f6dfa919f240c9f8586902c010f226

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dbafebea911b1d91d36d0f5ccc1c44ff
SHA1 778c3b4c360d07efb4119f0b0b549eed9ab0102a
SHA256 192bb6a0a73805b8e19be26a1ed7e223b4411f8c2a97505b59f2b2c4329b8940
SHA512 c3657f34cf953131495f4d3914d4caf7cc5c3e2162c5b6c8f16b4a02092d43f9c9a617070360780c7e90cf906a5dc99212ce6f92fb305d7c44111be3f10c902e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fe54b95fe2fa365f234f88259194d555
SHA1 d2d6b0015a28a826607ee22cc149879eda88b215
SHA256 bd61f7af038af868bc87377d8fec79bd95311c5f0f013fdf1a1062cb544f3757
SHA512 87eb04c5a1a94435f4080c82aa9eeef832c6f347301a7d2717e55e668988363acf1a83c20f5d2b7091ff1ba16a20cc201fec9b3853d3cde0537ec076b0fc3ef2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 432e4d969d26e9b2835f971af9de4c14
SHA1 c9c8fe68261bec9e598f614cdd9c8347b1914613
SHA256 6aefe4c89f2bf27d94ba5868630c3200d5f14bdc7395eed2a20b4ea6231041d5
SHA512 f8c7cd30b97196121a20f13e64b73bd563119826a873b4ea5dc787a9860ba51353194129962fafbbae0e1066bc1d80c427e15d1b0e9aba60d4890f5b8f815ad7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 48ac76c2b1d541f4842aa83636e597c2
SHA1 cf81fe238dc6a30fbf211545ac1d43f7ba49a9e3
SHA256 d90ef4fd339ad9ddd7924cb288f349f9a7a6f52680311099e778dfcd9aa93396
SHA512 f5b19db7e859fc477364b7d42817ffd8bccb641c5f247de7dc196f8b2f61d5b9953b5883efed8d26211ba8e0872c74855be011e4a01921d46cf4b2f44f607a04

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 83967d396918c25a5f7b300c2339e4a5
SHA1 086c8c8fccb9bdef8cac06602c098cbc64d9e089
SHA256 da690f15ab933cf8bb0c4e5adbcc124b501aaae2a366104f59fa4e4a5223c74e
SHA512 39de7c09c542db50b2b02189785e55e09b5b10b6d2ed990222c8af54782f2633fa2d300bd434dd962f8a6c59c1fd2dbaa9bfa46cf2c3b34d882c8c289e2805ea

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 955fc7380af581af60c8fe39f97a1ad7
SHA1 da4468d9e4d189411615239ab2a300a8817f435c
SHA256 62b4633a7c7701aae3916c89994bb34a97c05995d8929a9549524316b03395ca
SHA512 359cdb26f1ddff8936f8df587efabf62d79b9914714521e72b3f9df3ef017d4ed3da78e91403449fdbcf2c6ea95b9a528365a8e51db0b3bfd14cecf8ede2610e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d6aa6c548d7770b2487dad13c085291a
SHA1 2ccd9cb8a5e0d9a219638f45902650d2453dd199
SHA256 1041f6c4c5eb55f47a6581876f11133b78f6613b02e3d0d4de481518e72f58f6
SHA512 3ee8dc136ed682b55f2549eae867d74da32950f105dd2bb023e8e8dc40ac14aa377f26bff44cf871ea4d71f7f671d18dd534c4c880c0a02d47bdce7c97d533dd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c56c17d8f353483a66413d09db0daef7
SHA1 a4635fe046d59908335cad321ac99bd9ba5a8f4c
SHA256 cc1bfd84336faae9ec7579ccf1a5a23d53fe16dd16f5496d554e416e01b66a0f
SHA512 e4db0a353d639486493a5198cd852d27e18b1f8d3b683544f4376061fa761c2c270a5e62bfe89cf118bf1ce1dea75b13954d49cbb466e2566a1809f445bdb28b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 15eeb77b22f37ef24e9bd7014d4b54a3
SHA1 36290a637a0759e4e582d824110668b0089f2b60
SHA256 b9acbbc63c4f6645c22b60202021f9b59548fddb70f494b4f702752cd51d2845
SHA512 f96471eda944259c9eb31b3f462fa7d5c468db390759bbc1479193188bcd6a591d174ec171af58ac2cf67299f53c90a35581d229d99981d2e7adde8d75c777f7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 594fe853dc48e2ccf9c947207aa585e0
SHA1 297901e52d4c819a933912fac156582bc973fa8f
SHA256 51762a83aae61b2da0e8b3691b13f92fca56ab520ae6bad14758c8190357731f
SHA512 0db3b46b4cb54814b48b2b3e94854dc81583aa4ffc3f7b7a1d6d31d70aa3de7a0d78fc944e229e8221049a577286d9c648a11fea7fd9e3f3f6b3e719cbd689b5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 473d40f4e6e9870ee97eb0cc2b719ca8
SHA1 6fae5add4116ef05f5a90fd099b69502593ad726
SHA256 795e26b615ddb03790d828e34b7bda17ac4a214ce900a4ca4daedbea51523fa2
SHA512 87b34e8f8f39bff4f89d1a44103fec7058731054d49a5181db8cc114a9a7c54d5d29361540f3f7e3c283b269c074864a87a61082d818080ef3f521a36736a45c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7ea0fd4e98bee5cdc0c05f3032d04a57
SHA1 c9dca1e239861d3390687fd6ac8dab23c351aa42
SHA256 91e5e6aab942fbd26b8411e33b943e509e207e813a29cfdda555031c0fabf4d6
SHA512 7a93c5dd37358e818cc07695bab5ef185c42f99da340a5665d3f647530a72e8738fcb47bb5da1188e5c0e9b8ca2d6b181e574926d0c8cb8b2554721c9e434d93

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5c4d7d05c45a4099206b55fa2c009305
SHA1 426d4346d0ed579dc5ef8be960cefe409e76bde1
SHA256 c97d13c324c65866706a9a26d29847f959184d7ebafeab9960f1fd8cf1f36556
SHA512 cc8dbbf9085206bce58921849a212d6c0476dc6db4536cb042bee32427543e17e13f87547a0c26a23824038447ae29b22a705abf7019e5c20b1b68ae45b12af6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 69ead45b5f169fac9ccbc2fe28a33b0e
SHA1 454226c68bf9121638fedfb98ca609a10a7a7cc0
SHA256 9a0dee1c8a95e0e7dc571eb14b6fcffcf0d1f4eb3a2d1ddf1221759e88e3cc26
SHA512 2fa790f534800814a9e85129a170249186c63b7d3b47073945e63aff1f44f9c2d3374290e770748b40c8daf2118daff3fc137d7d14b38fc4a6e0763308f55c0a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 17ca09a329e5db18a64bdc6c1d477cb1
SHA1 72d5b96f4ecbab04d069a4ff06e37dd5c548f13d
SHA256 98f53eafbb042eb832e02eb01a474c692b0dfab8da488a3e15a08d13b400bc54
SHA512 236d3fd6c99a3a7e621b124252982ab248cc63228b2eb567b6cc69e2b2864b136c933c18f9e20a69af3cad4d904d1f8d28d74d1346ccb278e79a8a5e3fdedf3f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 abc467502ca163f782bbbe82f0a33fe0
SHA1 01cf9499f3ff0413f6ffe295f4db630e214b43f6
SHA256 32feee58318fca28975455df52c18aa58c3db44d7e4a5a3a1b030cb55bbc299d
SHA512 315a0481c45d7cf5cb6f2cc8429d8981bbe9cc3432be1327f07432e1f867d5cde369123cb2c2b0a10690470ca656aae0afd89dc5c95b3ac6062fb291b74e9240

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 572e476659ef955b1d69f24cb2d760ea
SHA1 6d99296e0f4bcda782541972e5d2f40d87774117
SHA256 64679a9344599c6001fd27919cfc786416cc010c31f058f357cad62c9e6f821e
SHA512 be5412e784bd8dbd504da9cccb9e5299560e1f80daaa8ad4643b201e0232e0fd5dee169df050a451e1cfc064775eb8c111e2cd4e09a8067a4fac0ba9d776ff16

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b2160d3b6d91ae59506d995c0b03fc08
SHA1 11ba95ccc2e1abffaf5f62d2299ecbaf254323e7
SHA256 819b6e481389f30e6eb66d633d2c7948610ceb7bb6f49e5a51c090247523786b
SHA512 179f1c81218ca8a2cce50347e6b3af5524f89aa6751eddabf8135ba5e1562fa8c7120659b25091233c86fe743905ea54bd3247ae9a70f233018805a1470be7c4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 701ed132e3be3b294f91cb029f1a4dd6
SHA1 183b20acec60e64fd6aec6fc0cd95d7c5ff3dae8
SHA256 0e40e843f9af8cc756a3bb256395406566624e829e1b2dca3029fbc84ad810f2
SHA512 5bcc75c2436e98e3c005f12e8844d3a80eb68d5fc7b097bda3bb699886354e186104ae5ec39efc0a1d138e9f57d520ccc5ea60e909353c969a02e8b4b2895464

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6485cefc9b7bc067f43c58a5b66797a0
SHA1 57dd0cd5649ed3ef2a758c12df24a281f9fbca6c
SHA256 ef6028a90d7248e31d698eb0bf27af901a878e328b0ce8f0052bcbc39bad2c4b
SHA512 f36ade54f7414892a4a8f45df4dc23759e503b8e795e42c49534699fd36453d1868145c2824c1e696b0416f65d92854a474a8370b3be947cab0527e908caf24f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 054059c7bcd9c7be19e331c22bb8b069
SHA1 35fb4ec0bb052885b739fa4c423d372ef5cefa8c
SHA256 20142f5f716f1f9024a67ba314d02ddc2409f8182f23d392e08969564619656a
SHA512 92969819a703fa9542fb5ee59cf8183ebfaf0ee847b9eec861c5e3a1ed14f23de588c6d849e63b8f496e1d24c980efc1f62274ce72566defbf3d8d60f1a0e041

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 67ee1c5590851da4b44dbeb9633f6e61
SHA1 79d38bd2b6e839da9630e4254b9c4aa7484b11c2
SHA256 700f47aeb6e811cdc883b7958c440a9751e626527cd8caf8f71773520b28a11a
SHA512 25951eeaca4a83bc6a81d619cf7ea90de62a1b8f2aaf8687e01654fa3e95bdfd7163ef105791ce6ecd5a7b32951ecf70e41ddc500235758286567a80f057f550

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 10234d0daf7d544b9e0f2b162cef151b
SHA1 477054c378a76551e45e8b4f7dd70257299109e4
SHA256 8b67476830b05560a7ca120786b3a5c9edb0ab7af4c0a0a52f8f113c1b182992
SHA512 b321e922031a262c83118fa3e448f966fbd6c9fa2251661fbd72eaea3b0a5b7ba79b8a7d56a14c8b6f98a5c7e6c7f0d3a8e210db7fcbb6ee595688752f20916f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4b854bb2352aca411c6a7575b1a6573f
SHA1 11e0b278045df183909b1016b8eea957e33863b7
SHA256 b492358a43425ef9b29c2a0856f9f0ff6fae61488d13280e5f3992dc680cef2d
SHA512 8537de00568f6ec8bd12b40357690c18701a8504daaf87938d6216653ecf5d529199fbdf77b2643226980d10ba3fbf69e63019c780689803d19b3f6d5b7e2382

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 285125d41dafb4bcc05ae44a041484c8
SHA1 a3e7f72d462d68e0e4dd2a4ef1d4b26bbcdeeeb9
SHA256 6d144daa412b5d6ae0455b676add010bc6c11dce58ece3c3a3eec8e68d851de1
SHA512 1f4a95e16dd923495b09d04d574ec094be55ed791343869019baee89bf4790a30cd6c254c35cfd5c56ad9e9884b87ff9dd643f6991bce3c86358ca89f5ba0e96

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1fc5a8ae00f28b8ae9d8ab8e157b601a
SHA1 fa00d680b02672001a7226272fa27ed8ab8e8bf9
SHA256 4e700894b4a8eca20803f8d804284ef51d28baac305bf8f87408b880d6476b7b
SHA512 abaf4e163181b60c7dc0429487b61afcf136a3eda4cd4f10f477676b6c4d179f4057caa1defad1e37a2c0b5870e601764a3ef1428858d93496362bedcd6c35da

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7e80c43630ccc2538dab0368b831c0b6
SHA1 55ef6f52f5adaa0a522f5dc0268deec53d2b5bbe
SHA256 094389d5cce434719e5bfe6fc35ea336e607cb0e878859e07073014d3d30317f
SHA512 2d9293e6672045b3356936afb26a2282bc2c7b95a0ad095b5bd0162e4da45d9b6e1c281da916d532a540ed41a5ee05fdecda8bb20c73065e7707e8095002c34b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1b3615531fa4e2d696aded1f8dfb101f
SHA1 9adbac87ed096de09c3497fe62070987f21e03a6
SHA256 a4cba2775cc70588264d3bdb988597a8c3d9522355b957243056ab572dd69a99
SHA512 9aae7b6e8649391d5c140673975063a6cb2ea207a61a6013518cbc26127f918fdcb98796115d7bb3c7a28f3fcf0bd9009858e129724af0dc41d6e83faf837894

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 53d2936ecbb4ef901afa95581bc2dada
SHA1 7e31f90043bdd81a9608ebbb34fecec362535219
SHA256 3248f42e1e064f4ee6898a646b88e58c7acc941e5ab294fc89e636287d24f23f
SHA512 eaddbe8d65e9f3ccaacab450bbd023fb4750b952a9c208c5cb178b4c6247c1c9425fc1b19ceff5617346c8e57332972902651f9fec4eb9cc891059f5a93cf88b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2c77cf9221b0ca7b87034bb354fab8a3
SHA1 04c3030ece11ac8bb433722327a08d665f2e1074
SHA256 bc3e1f93f2fa9e7d9737830ce6128eb96d776bb14270d10a5894bed2225cb2d3
SHA512 772cbbdd85f42196380d04ce0458a3567bc745cf50c1ba486c7c688fe63d57894ac2ab25ec3f55d9b9edcebe52698768412c7189f2e337ab339887e1437ec772

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 28c772feda70b4d335626430e11c31eb
SHA1 edd2cd3684c0b8f046781a81fecaca189ee584a8
SHA256 547c34c782fc7d3fa6f9491ac5e22f5aca26cca93eb55db54b9d053d696cdd48
SHA512 8739d830dc92b9c9c9a54f148d336efac7db01f76d7b4d03fb0fdd46e2bf63db4dacad0761469502be7304c209d44f7c8b831fb2021bc007cb5e718a2553a319

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7954328e12d2f66bd05d955ca8b9b923
SHA1 f0d0810601d711b944d55ad078448387fdd175c6
SHA256 30821b7c008fee36e2c7710328015095df92a91e9ce08dc6cd77aec44328f6f8
SHA512 0d3ffffbbb546490c62b05088440f1e41dffb57b5b34a779ce1633da0d5ded17d609a6a4084e6b49a7a5234a2c74969c98d8a44a6ff9aa4cb438a2c6e42f6c5e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d4b02c6e04e1f2cf17adb111a1394d7e
SHA1 6ddc8c7b53560f73e200ce1d372d5f279eb74cf0
SHA256 8a9d802374899875e69bb25f71c568acffa8dead40b4e5b721112b81cac4f81b
SHA512 e1754304a3d97d688574047862f42058688b045ae9077bc7253cc619ea756ad38d9b6d6002ddf8a30468ac12aea0aa79102d11cd16022ee4b12069ad8f752e43

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c70a937c0e9d848c67ccd4288e5b5db5
SHA1 e1c91d8b97538fe4bada5a574ce54449e4e67db9
SHA256 73ee8c57d3e946ea5e70842b7c08ff9e945ca4b43f455c4b0005383dda2eb724
SHA512 c3d18d644185047c7983fb8739b3e962f8fdd46923853ee0f9356c12e9dd75e2fd3dc17b6fc720803087e7d54fa0cf7cf20bf0a1b058ded3443e6cb25f9343a6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d18569034a9622304e2a63c72dfcdd23
SHA1 042ffe665f2c73addec9485455c38370e4847d4a
SHA256 0c03504d11820e038f3d8a944843011b7b1db517b4e79a356c4a33744ed1dc5a
SHA512 f3c457fa8a4be2f0212003dab764ef84483ad7bd52dac642e6369bd12b7e7c87edf4e59f7f72c38d671696e3d58b15a09a141b184f4248d722068565ca33e0c8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 244befe49b2b02879f59f146fab83cc2
SHA1 05010ac55782c9748704ff8549dc8479fca0086a
SHA256 3328b1e0046c60dfa1cc248c676531077d560a962df5315e1faf610456607b6c
SHA512 e1987376ff91ee55db2aa6397e027a892f5bace2307a2c7664254bffc906531baeb30acd3ff782d5928b38429df92c43d27bb73ce19f4fa1019d8a62639cd0d6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 165c5055516e5adf36b0377ed785ca76
SHA1 4cd11a5278a77dead212b54ec55a603e8ed70b9d
SHA256 3380a7f1ea712b92a8e3cf105f63b8cd8a36fe33a39c91b2e0c7f9309228b868
SHA512 afa63ced1dffd0c56632d5a28919fda25d10c23f5c61fd5104bc5e0b6208e74385af73f65ddf74629962c836c4b5d8d6c98c45565c474e78ba5fa7c6fd6f3f59

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4a927bf0da0c6b0f732bbaf45b13e2ce
SHA1 c262415006f57f45e6b431fe0f92af2ae73e09ee
SHA256 605a5accdbba281656d81f2a38498665d344904d28eefd12a4cca898fe9a7f65
SHA512 c5d55f2db76222c277627c977e5864437884dcf4ffc00f4025116b964b52b628e2b68fc7293b94e404c8a565854490acdb9170e8eec0480dfefc6cc9b1ca7c26

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4889ba79baca9e0775e2386be5ce73de
SHA1 63113152afc7a621b4eb1ffc2a07779f0787402e
SHA256 b5ffc3bf88c95e3022e5e43dc1ecec3a2547d5ef67a228838c915f6ecf223ba9
SHA512 6aa1116a198e2008ecaf3862fe6602fef0d3216a8e0e07e37167440b5486fa5560f617c2b1cb405375dc63fdae30df09225dc0dd08d9e590917bdd1c1259eddd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3befbddb34fb745c8a5b8a63ca03b679
SHA1 3a32c76bf9314f92a9948e4d5a0976069dd6a7e0
SHA256 5523ee5d4b6410397210dca88e0dbd17d22c75f636587d8b24273c9554e236e5
SHA512 dde738bd05d0fdbc35aa4dd3962b58967196b41af2891efb4732ca9de4a49178ee9312043667365d59fb12320bdc0115bc0e03ff33a9e9cb86548214b95a7567

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 65c31150d693c1f09cdc1a70c7c52170
SHA1 e3e729aa27edf8c5c9ceecb821d38a4ffac85cb4
SHA256 5a2b42e8f04fac8ba81646949de5bc27aaf295693b119cf42452cd48cdf5312b
SHA512 f5738065df5bb32b3bfb1ea66a7b86940c6d6801619a1f762732ae6de1aaae1592701667deb29af0261fb1a4d29f04d4432dc10d0abe693bf28030f4f82e609b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5552b6336cbfe0114072ca5933334461
SHA1 0eeb83120abac6be4b4c66fc49172c27d4bd0566
SHA256 bff71fd07dfe446d51b0859d251f6f6e7de9553b3880537decdf2d966ba85d89
SHA512 dd69fddc26c19ba7e1bcbacab9e84bdf15a1e07351f2b21711183126f4b9a1030c50fabac3b89115db3623b6064edb1573d90b8734c4db214011f546ce388656

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5820e052c36e32b346d8d53bc27c6059
SHA1 ea51dc82153b747d199b3402bc5e6bb3960e7c43
SHA256 8359f86eb81cb86efb163ce444053d641c30940ea93aeb0144ab6b94b6c9b5ea
SHA512 c61513d80f5998007cb0ef7507924ca0d83f0d107ecba896ceeeafaac86ae3d11bb547985c2d9d8b076929d9fa725b6d5ae8494ff3cf89759087b36d042a9ef3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 04f905b5f2d5a8de6ee54183a9a11d8d
SHA1 9c251d6280f2327b029f5a1af59f3161c7ff86ce
SHA256 56b5c80ce84dab2aacbb89ea5c0967672fdd740f2e2c89c1e821299057807b5f
SHA512 d265267adfe376e0ea8b230905b5ddb16fa9f068db17934f39974c37236db79551381f76d450f2f65f4c5acba3dcf215ec89157c14177a16160382c797c70d0f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5e3d4d844bd2cf7a76d58d6f52e91d2f
SHA1 0f0d7abcbdd55207fa0ca7bb116bd0c7ecee9296
SHA256 ed404436251d0782e99a616f44a063115beee7c66827552bff97ba649b9beecf
SHA512 cc841b2e67abc0505ddf4776c8eb64c9ef331cf8338b070a2853f83ceecb3482aa0b92e840dc50b162098a840a363854c48efca452c189c5a488d5d0fb2d1bef

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f8f7e6fa2091cb647bde1845aeca3089
SHA1 05cf0ce272a9c592986c5f00ccd49c96f2183991
SHA256 362aa82fa8a954ea4bb65498b9dcfb3a378fc6a4352a44bf3ade7700f901b59a
SHA512 7fc1c26bb9beabe3e2afed8e01c2e8ca15bd1f5928aa5df54bce9864d78d8fb4ae1ac034cd8272a36eb8348d07c9d6d8e370ddcece3484aed448566fc2c2373b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ce76c004df7be3d4ea58ca6a4f1960d9
SHA1 6b55e8b3702b03a17fb6c367935808595a466a3d
SHA256 034037ba94c2d6fbb3d6cff61811fb9acda985ca8140c6920db997cb671830a1
SHA512 250fd6a5f0731f2541dcacca2f1a809f2d3b721af773fdb404046ef489bae677f3fb7a08da2139f18f014c913b0d4b3bfef551dfba9e06dfcebfb2a49d17a61b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 927730920aea00ede47b6261bd17aaf7
SHA1 8d776306c7fe644a29e7dc1292232bcabccf6dfb
SHA256 9cf128e0391ae28cf34ff728af08b04598d7c65e0bd47a641417236ee3fa5ad0
SHA512 8750587c6738052bb4dde4d08448623706a2ae9af6e7f186288833b055f2711dc2bff33aaf834b4dc9d5e6d82f6c9eb3c8dcae463540fe866fb007d5cc3eb316

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 576991b5471304e35ef578db3ab5de82
SHA1 e24968c297a8b349d2b8ba2e9f9085c418add49d
SHA256 65adc9592b6a3c0c2a9c9fc16be7b697268f2764f13bcda8ec67391bcc7c7b20
SHA512 2200952a150a8ed9ee89aac94b50428624f3d461c2462147a7f918e9cdf67a5a559dd53de1012e5e1f4e4a434b3f4353437ded4751c4a6c2bd7b871b4b66aa26

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0d01671f0ccb8155f676b180f8a65c7b
SHA1 2e4a99bd0a3521810fe41e8cd73377684a60126a
SHA256 2c9b1ec73f6a3b82ecf716e37b8c0ec97160574cbd356caad64885a5b60dee2a
SHA512 5e170034b249b80b81157f783ff922bbcb2b433791d58155115b192b9d3910dc51c911ab96675a6ecda06cd952f7887a74bba51fd62e4acaa7d5a8ac2daf2de7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3c29b78929ad2263c1989121a71b9862
SHA1 bac25f8b5aaef897395922c23bbe0a56de67f98e
SHA256 f91ba7b5da27bb1302f9e570483fe59d08480edf6c226a434e678f95f196cb0b
SHA512 c3a068dfb9216c7f050862ec6ce97f38405d048a4b897e166f3591cfdc6065e5013f32cb571aee73171d30af0a2d6db0e18a89eedba9a0ed1203a5029cd3a5a3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 01dabf58ba78fca62d3809b1e4d6ff8c
SHA1 6140ad62f8e73d64bd8cc4afe224bb5edd5b3376
SHA256 b29e67cba8847a748cc9a81c311619607bae997c886ef59aec9d2e45042645c9
SHA512 8277164f860854dc447ba6906acd9f58a00d73349c085d45bd4faa30f8803dc353ef7e1ebf8e0aa0cd6abdff8ba6b9f1bf1e85c517a34ed52017ccac36bed28a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 131d8ff04ebef747f58ec53905024c98
SHA1 2b32646ba38466b3ff063344a41ba0176abd2db8
SHA256 ecf401da545925d3a8538a1a7e3a6a0bc418cc9d9700000777192cb6ea7644aa
SHA512 b9e5720a06f3d03fc8aac279a3375d33fd6a3e7d35a8eec95888298e9d219086f7d7d1251120311ecef49748d23eb229e21d48a67c704224eb4e3a7830938e25

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c03b132ef32a9c45190a3ed96447713f
SHA1 b4890831a4badaa1a8954c2bcd443977c2df931b
SHA256 4e5ea564c8c64880ccf97686c32085cbed0e55f9ff5faa2c2631c94d4be43ad5
SHA512 0364e4f5ecbfac60039dacb59c64ae09a05e8b81bcd6180298cd3d8418e412b700073444a89dfce1ea232fe85418981257713e008c129ea4ad306f73fddd6a20

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cb469f92c457b870d4070908108250b8
SHA1 8efaeb07b12656e7209b54945a510486a51afaa2
SHA256 b19b9c2f1df3505a53cc66d3c04d9b44295eb5717befda28fb187c027ec6b239
SHA512 ae8b96bbdebf5ae3c24bafb0f08e6bf8ae9889e4918c40280c2b840e767906bfa1dd43e5868fd51743e39ffc2acbdbcf5917e409798321bc95cf8517984d346a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fe6d592faa64eb7d4a41b89d68e214c9
SHA1 29019835111f9bf310836f801e7f438166b55aaf
SHA256 0250c43105e2ae3f7b73186b4db2c72e388c5f4d5a67afcdc1054e979929b2ea
SHA512 4f413bb0669b133b03cd65a44f9c69804d5dced7dbc653bb447c55edf9f9c693f07f4013438cbd71fcc22063de8096d944afb60a15613c3bfdfd44e04b5cc1a0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 674cf6950dfc6d5b039a3dd7863063b5
SHA1 d5803fc553e84ef66ee8ff2cfaca235bec33a4a3
SHA256 020490079246e3d0a028a0ffa10eeea53debdbec058c8435377ebe016284d1f0
SHA512 6561c9d957c8e19e076d43915df3cebeb6472e04263856df2b491afbe8ffcb20618a5760f80047be3da92442f56dd0b32431bb3b37b72169d3be8dc945cb9902

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3efa0f81791654ed02a8f79b1a6801d4
SHA1 073f69b19680ae4080f6492f040c48580af9e218
SHA256 f90df4040ad856218fd2cb86296fc3ee65c680961cec4e1026a8dd2cc6abeacc
SHA512 9828254c4002eb861da118ac5fd568643c2bfdefcf0374d10e6f4903b2afcefd4235a5a74bc24f38c585473d919ff5edb2bf55f1279b736c637b562132861f11

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 30434dfd3b9342fb084d908507d8b7b4
SHA1 b4c57cc2060bd03dbb518be0e6b256b04c49bf61
SHA256 c43c42a12861022a550330f38ee3b36897517649407fa92f855441811f86a1b6
SHA512 3f36e7054b493a3312f200bc69f96f02627b3ac4799a579cc1bea7e174017687b999ec504c73f60d0a7b15e4edf427f29cea0c6da23587ba532dd02f331a17a0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dfd715f3f089ffd7d6d8e6cee39672f6
SHA1 339f1b8d0c5ee520cbb8f160603f626b2a4307ac
SHA256 58b608bde6b9ac8a2a704754f774fab6cf52a6740a8fead644be92e164dca8d5
SHA512 6d65c3f98fea26c08ed2aa719a7f7f4f056c725a2621bea55a181d4cb8adcd04b4b858f130b2f2f4dadb3fe639934b2a9370e1c6e7dfe8ec9e47cbc3be279921

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ff3db0128e85af36ece853b484599326
SHA1 18ccbdb3f458e98a1f22540544ae756785f28ecc
SHA256 2844f8072734a8a42b60630555b2149e122fc8d5df2b54519e569470592667fc
SHA512 38b44e8693f1c1846cd4fb2a62affb3343214919e312d2b24253679b6cf81893c50d8dd6fd533d83c8e9b432b940a1f45ad763bab2eecb60227fd4738daa1ebc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f02c5e0210c7ce7d91092043ae3828c3
SHA1 7cf17783e86d8165d35cfdec4b0cee00bf76d10a
SHA256 c0884fc70e72fc484b90b2e3c4db978d821954e09e75b40ea1e6f899292d9818
SHA512 656e44d5d40044f834385fc9a8ed392bd323527eff57938da53a3cf25fb320dbf843602cb1fa73b0d5d68e143420dab92c717d905c6cbed1ce2f0af25f67433a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1d519e672ac860e7aab35f72e7284739
SHA1 9a52dd3deb95fef352a0e0913d245ee8fe37e4ab
SHA256 106cdf0585cc1d711b19724efc4b8d1d332c89df857c54f9870d76999f64fa3a
SHA512 ca2375666d30514af0a39a251a050a026af8167829f4c2bbcd08ce16046f2ce7aca8113025c761993503a626bbf341172bea214918e6a56fd9480c3de1206197

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 48e419ca3f82c767067aaeefcefb1a64
SHA1 edae5115862b12006b73d5e2190171a192364266
SHA256 dfa9ceb843864c57864206438e74b03ad0f6c632ebd71fa488ae5118606c7569
SHA512 99d7c52f44e6e722705f9d3238297c5fa9ba26e73e5b61142c4835fdf4e5ca63f5b085ca177f2a06453f30d82566c56eb04b1ea4c2e6ba8e0b8d442856baaf0b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e61939efb635f9f2f74b413664c9380
SHA1 6c0cefdfbca2ca9d0f3fa83d5de85a299098597d
SHA256 8ff1d7ebedf53fb90421c80b6c0ef5e449a565a189ddc7b378196a314b7fd85c
SHA512 805628281a18fad93f0f566e0002f4c7bae379959724f56b96d4983471223134e3c160e9e66c086e8157dab01f9d363cbe055169a70636b545eac2b15b37d6ac

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9b89cc02d04edac78e2ca0a2428cc658
SHA1 1b32eee651cc0596e2b17bcd8935863ca6dfb2cf
SHA256 8ca5bfb223c16ad1dfc332526125225a4a2f04ea5ee132b932016c49655e2fa5
SHA512 74f87bbf59ef7b3ea03753d6f523de022fc2e888dae9a1bfed5ddf5866f21f82b5f42202572451aa9319d57dd2f0709d2455988fdb1c4f459ccec202ed7020b7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e1761e4ff3ea128ff70c00d62ca20c5
SHA1 a6bc7b5526b5ab6951f4f1077e054f6418c02523
SHA256 4a3a30631fa9ded9d48a5321164f0b0fb34a05d2ca3506da6a17f9163c168eb5
SHA512 39f8b688ccffa0a818f72aebe143549f13587cc601a09e4afd6167c4062926e98a3957059e02f103e1988f3753aff71e6d9cb0e481a92b10b458b0abe4233276

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e69103bcfcb1c2134231480575a031cd
SHA1 29abe52bb7b37250e47226653fb01c4ae6439ea8
SHA256 904224b9974d5e03862723277f49f5563ef39f04a8cde12e1cbbe47d9b64814b
SHA512 5f4d1846dab133ab256e6cbc6628a942921aa42988455c8b0ddf4b0d8c791a085132a0ba2edcf1a1f28456c18532de78346f9aa0042676dff867ea89d749e327

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 18411690b496fcd280cc0a9b2b1e4b30
SHA1 b21e926bf0494687fab3b3f1741d89b5473e624e
SHA256 648696d1c7fb3e562d6c56566a4414a9debbf28742861013afa2ad97c6649e12
SHA512 ab230fc850afaf500f3c5759de90fc790423a0fb2df63370485eb55bfcf8e47808eaa053773ff8c97d16dfb0dbd93769caab37bd3eeb4cde36160cc59ba21543

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 91a2daef9188edbd9ea3129f40a6b67e
SHA1 665ebacc051cafe2f87f396a77358bc9473f8135
SHA256 18e2b6584ae2caafe20ef2e2dccc519d3ce20bd63340e235e72e6f7d35c26c35
SHA512 e0159bf3fa76298014de4bd973ae1ac74841c8fdfbf49825719489b41931217baa5e3fe2e974ecf133f9858ebaf0cb4bd2f201a50a880f6052dd9211a3dd0f04

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c328fdf693b38cc4b62c696623e85179
SHA1 d6ed51b4fe8170b17ef3eeede7aea0ac9057fb0a
SHA256 29acc0615d896d844b6b9d28a3bf15624cf5813e8cff35514fd8eaf9783d8102
SHA512 900f752d4d220d1156abecb6e4cf9a520530e00c5940ce042f2b41c1638063cdac83d79f9f9c9dafcbaebafc73325a7a5d895c91b48e0c6093c100fd384ba42e