Malware Analysis Report

2024-09-22 09:53

Sample ID 240426-ne7m8sfc2x
Target 00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118
SHA256 5beca7229c194cd54b27dba905d1886405bfff9f0dd963ab2a4ad88639b2cf5f
Tags
öííé cybergate persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5beca7229c194cd54b27dba905d1886405bfff9f0dd963ab2a4ad88639b2cf5f

Threat Level: Known bad

The file 00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

öííé cybergate persistence stealer trojan upx

CyberGate, Rebhip

Cybergate family

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-26 11:19

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 11:19

Reported

2024-04-26 11:22

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

\SystemRoot\System32\smss.exe

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\microsoft\windows.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\ C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
File created \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe"

C:\windows\SysWOW64\microsoft\windows.exe

"C:\windows\system32\microsoft\windows.exe"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
SA 77.64.84.132:288 tcp
SA 77.64.84.132:288 tcp
SA 77.64.84.132:288 tcp
SA 77.64.84.132:288 tcp
SA 77.64.84.132:288 tcp
SA 77.64.84.132:288 tcp

Files

memory/1204-3-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/804-246-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/804-249-0x0000000000120000-0x0000000000121000-memory.dmp

memory/804-525-0x0000000024080000-0x00000000240E2000-memory.dmp

\??\c:\windows\SysWOW64\microsoft\windows.exe

MD5 00a65d8c4fdaeb42771fdbc645602f47
SHA1 1948cb1996519118c6a8841ab927cd81548a00b7
SHA256 5beca7229c194cd54b27dba905d1886405bfff9f0dd963ab2a4ad88639b2cf5f
SHA512 f9411fbd792b1c78902979c68462e6190f2c001487e66bb0461559cd7de87f263137cbecc55022af53498df566d5a37581874ba7368bca0a54cdbc0128c6ce56

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 833ef91aefeee2ad25fd6cb51c0e575b
SHA1 2cd0f9da31faee4a5d8b6fb6bc63e3858163ff78
SHA256 b54eb78bb7d3e1d5f99075827fcead7bab762917deed062a55876ee135fd1425
SHA512 216749021865e59e36417e87799ba66c4947df13e2a881972fad6d8140e79239e87c73e6f6670f85ea37f5b9a952629f200ed4275a6ff5cf6eb2357175c2f7fe

memory/2040-825-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/804-2673-0x00000000318E0000-0x00000000318ED000-memory.dmp

memory/2996-2705-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2996-2707-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/2996-2762-0x00000000318F0000-0x00000000318FD000-memory.dmp

memory/804-2763-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2996-2770-0x00000000318F0000-0x00000000318FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6a8a526a7e67b11caba3614fc1b6df68
SHA1 fcc0c2ff9ea0c2d4267a4dba19b670a102b3bc69
SHA256 5fb7183b4012562a15e18ec6631d28f91f4c809d3216868698116bffa57bfc55
SHA512 60ea8ad14b681f23bb599e81fe437455b98f402421ca384935d057cf8ef69b30b2e945dcb3a31d33573505f63f47a592d09a8378fac7b441bc59ca2c3294fdc1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 165a0ebc56a07fed1592c93a528b33d9
SHA1 656c80d9ab9619472312273a0542286a360e37fc
SHA256 64bc477b34c972dfff943717eed5e277dcb4da14c30ce3a146324b3296f14cd2
SHA512 73fc19769bae89cafb0b6e652f9cf99a7396c125859c8b99f855caac6608729a65e9d781292fb666ef2bdb0153e7036b98e25c4a09591ddb7eb2174908d015ec

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 68e2b070433a6d99f38b78f24f7ac21e
SHA1 b4f37551199eb2d015acaf3a813e9f6e7b5baadd
SHA256 5ec598abc94287f660bb770f2df93617daddc754251195071abaf6277df05004
SHA512 9567f782f6367051c9163d9e01a45b9e57667c2a0c5a6f5fa56d1855d74d22dbc022bdf4eb9f6a700bba4d117869150a6e5597eca3335edee1afdd5114fbb032

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 24205d8e3053e41f54839961c2702b82
SHA1 221142dafda4d6e77673b41a02066fd8f6339e8e
SHA256 733ae7a62abd7d9cc302d7fed75fb6d41d225da5a54faceb70e5bfa860ec45a3
SHA512 7f84c0ab6f0b367848269ac5fcdd93ef748d06e7eb099e738221f1c2829f45883cf60cdfb055b3bdb9e3c9e03305551e85dce21dcf8eb0c0088902df75d33c1a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e1372f07b0663ab4bde87040ea2a9a1a
SHA1 b16b915dfdbc358a9594bda07d827bfc57bea8c7
SHA256 2a6a7339df3571c69fee473631590e6bfde322dd16a8802726c7f157ad5b94ce
SHA512 023ed390a09380a306edcc3be476fb069bd53c7b265c1fd0ce3ea483f403c92ac45f073132252cbed348114783ae29c7bf5a370c2597fb46a284de0e4ac78d63

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b2c60b4e9bb1942c0612ef521097b88c
SHA1 453a604c5ecf2f0309e9a8e7da66a44ed04aea93
SHA256 e10699f4cd595256d748abf36a4d1143a78a0b3d1d583f52ff4c873cc47d51d8
SHA512 c54d169c06bb1e06f2567dec0b004b3e3a361084f81b7100aff03a46a2daf89da37ea4314040138d265384640d3bb2398fc14eca36d5768dc33827c4a32e2f22

memory/2040-3098-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5f1ac1efc01cc44937cf1efa12168a70
SHA1 496b876e69db1ceef3fe72aa641b6e4cdb4d30ec
SHA256 034c07fddb417b21b0f9238dfb49a020c1dcf3c5a8f6b894742d6f48cab8e7a1
SHA512 6171ebb2c09e3465a14092a3d4548747d6075d997d5ad568469c091fc076277ffd1e187894038337df838eb6473c88faf5eb51ddd67830d601993bfb554a90ad

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0cc126aabb1bd0f18c50f6beaa238b9c
SHA1 cd5d50e3c381daff4c77964aaf2ff9be5ad04a9f
SHA256 27948b0d70722f1143f70e82b6af42d4e16d03d6950ffa4d4722d0a77a732596
SHA512 1c63f8f9c820538f79c852a97758c1031d7eb792f5727a9f6962abae35598177cd1675105ebf1cb12304f20ef07634870357c25a24a590814f86bacb43ab7af3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b69a8e9e7af71943dc6a2428829e468b
SHA1 3b01e9eae8420f650b253c15bc5ed7e6afa7e6ec
SHA256 250464c5f6097598a21763d6050459cf5552cc201c24d4e977a8776fa53d9428
SHA512 0787abdb61179e11ef0c878daec95d1fd3302b9c11a804143462270192cbb0599f422792188161af9061cb5b80cf152237b93d7c2cf9aef8ea4ca8db656d5528

memory/804-3233-0x00000000318E0000-0x00000000318ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 686e0b0716865618dbeb2a795dc1ec3e
SHA1 99841ffcd6fc175fcb166c42c5aacd30d12ec489
SHA256 0854a0d73d41a525d65539b70d86460a98a25bc972d1b9a347201ee0c41876da
SHA512 a9e7c2ff54b1183327c6eb49e659b1123a74336959dd0addb88af819619d7a5a902febbf7c9a76e0aa5df54cb0d7833ddc3ffa5509d9e796f938bacc1cc79c65

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8c4d6b41fd67574f22e8462559bff13b
SHA1 b7068ce8a708838850793ba602dab22cab094269
SHA256 21ddf5a3fdb6d77c65e44dd3571dae926455193e580ad829fcc326b2ae8d7832
SHA512 45eb13db7889d1439b45c6e9e54e7a10fd8df9c98613b2d4815552a3097dab3d621cff276ae8f9a5c6eeccf4fb007fbb7b13e775238778c7e4f3987a411949a3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7cbc6e721b644df9461f2656ea9c4102
SHA1 999251ac9eda2056b2dd5cb91c49c2ce846b39ed
SHA256 3256ca59efc0f3c8fd6cc068828efb591924448ef1eadd31015c837b17607146
SHA512 bd159448a7917a03851a236c94eb2c11f9fe39994a99ba2914bcff096d2da3dfdb5d1ece0cdcbde161c168e763064edc3c1084b48dd1b67b519d6b405271a087

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8528fcbccba4fe5dd489e22c34a0f84e
SHA1 d926c0e1b0c93cf0a9b3e74a594a31e0139b93c6
SHA256 61f50cfb48fe08a8e43207660e174adb13a25b1963e5337f5cb79b6629db9201
SHA512 dfe913df82e4a072958f663dd71b1fd030a86cebe7598dcb0dae283809d0f1698cd13f512dcdf3127b2e0ccaf3e855caa81390cb5e5dff558b8cb384f4f4b7ff

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1bf39439c1a739c7cbfcfd0a4ea4f809
SHA1 b4f145653f05dae45f9f79fa12438649a8ae3846
SHA256 30b27a88d91a7c340393f43f94a8c785d0447b89e295607757b9a883853e937b
SHA512 a34ba1c329647ab8d2d55dadab0917cb88834b5d69675551b4e8bfa112892c3f68d014e044a003caae12c21a6fdbeeef2806018788915cbff496670a70e48c39

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bae14b31d6e520f558e8cd30e33efe76
SHA1 1509ab332ddda169c13f293ea40a9779906801d1
SHA256 2ff8b6e2689e27197330ca56eb348e63a43755c1abea82736544a6d4fc01af9e
SHA512 8295d438c739796d5adc9b65852a6a4a10fca32df55e7a2b5c9f4fb80b475a635913237bf5f5540223070f0590d7025cdbd0a5a799167f4d31327d64179c949f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 846a80d3019513ce95f2f247544d6e30
SHA1 fa9752cde6e78149ccf7f24b0c11aefe7dc37f49
SHA256 044f310e7d73bf4dc26965a58c1fdacbc53de4330a40646234875faa613f5eb8
SHA512 150144b1945d6466003e0bd886a61610d74f143ff5b4b3c3a6ee89b7d136270a1d2f5e8217f9aaed2b115188efbcdc948ef2ac76a8751eb990724d45761de475

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0ec115903a3e759521ec90722b086741
SHA1 0caaaaff6354e554cb4b5694de0218ed4644ad4f
SHA256 75e7abc1ef689f9c0e73bace53e907aca4cfad19a9ad36868fde621901b723e8
SHA512 2cd3387e360978bb8d28f29c73f05ccc8149955cffae38cc438e1f6d018ffd25bb9b58ba3288a37c7254004b0bed6826e17653409a72ac5744d3ccbe40bde68d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e3abe6f8b5a92052164e4e38b1d6373a
SHA1 1e34dd98d32edf724a66972b004c90f45f1f9c16
SHA256 8948666b9207029d0fbb7c0bbf01b6d54ff2f6a7fd9787a2f3c100a4ec162f88
SHA512 d95c23923aee5afbdc1e78497869c36ef4fb5c275ce458b3470b8a931ec79138f355999ba54e0fd11621a4842ac47631bdf9e54fe1fa7eaa114950c80564bbb3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b1adb2fac443a6b320786b2e2633761c
SHA1 3ab2b6f236a11a73d0de0f9ffc1aa6ee4a383e22
SHA256 d65e5a4ddce40254149f66dec741eb1b2def5bf76c64532a6fab290ddc42768a
SHA512 00d6bf3a1647cce1430933132b6c24d26ccc927764fb35a1f6765f0933e82572e848e115371dbc854315b2b26eb0b825187edb43c5088562ff8aefdc52844bfc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2d1eb78ee509ddeb845c659e7505aa6d
SHA1 53ebc67473f8222a62865c6e8440fe65a4e26461
SHA256 d5bce4b7d0dad040aaaca471e25ee913deca84da37993ffcd1f3ac8ccb9ed045
SHA512 4625a5efbe238fb818c2e2b6581c1cf4bd7fd9106d281b60cce75810c32e6a210270b393cc70f907290e984f11f2d509764fd0e4f1ba1410d17ac90f9eb1a0a0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 60f4be3275f02c18e87d2025eb11c198
SHA1 0ddb9bd2a6bddad9abfb3dfdd3ab7173f080f186
SHA256 864d6ad40873e114201a1dfbcbb28303e8d1ec852bfb6d8bc0f659263b4ac9f6
SHA512 765eee5b388fcc4323048d65bb770f968b46f0fa65ea706244b3fa61ed787f349ff5973dafb382c7252fad5205a2674ec0c679606a49e0a315386b601bffa854

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e2d0bf24c9e8fc8d0a54f06bf5aef2ed
SHA1 433375ea0319b2f613f486e309797e55e3c7d551
SHA256 30bedcb9562e503a6c2862959ba3aba525e72b1ba196c50369ae6265e8352898
SHA512 cf3dc2724ad2f009dea3eba2b9c1981ec3d623ffe208cebf8d601d04ac215326545e8971a4e42a651afcb41e54366389a435c5c16ec1bdc2bc7134e141e9f54a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3e30af052f4537ea4485a0da8633aa95
SHA1 9afa24bf75b67073436de50c54f67be10ec5f73d
SHA256 f7e01f75b0e6a3e36e8246747e5e28acd322422a8ae21af70e1f61c6211ea0dc
SHA512 c4585eebe7f886a7b48d1ad53af435f1c5f845e16dcb59eb8ff59eb2d31780b42590dac063a527efa228f564295aa76535213a7363c484edabf9a72a32caeac4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d6cd49b2d94c39ab4ab07c3101177ef9
SHA1 57a1f9362c0a1e4914251718a362d43a52222325
SHA256 f1377bef5917ae7b9632545e33e6bf318fdb3d7c78d6bf10c634a69a776f4ee8
SHA512 32b3f6874ea8e29a0af625b718d36c0e4368ede0e08cf2c0f0933ac64ee2603973043b5be003aee75d475d3c12583948d47ede2f71585843c20cf927c4b1214c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0acf93481928dc13dc0ea989ef30a26b
SHA1 658d70c589dfc00b8bb8eea6a964b1fef0dea551
SHA256 8f7db87d2b69ad98a44510112a1b80e064002330eb5b4744e0982dd5d1c79447
SHA512 2ca1189aaae54af4b2dc33f08cb4f728a9c5d5e612f3bf2a29851fb31b3dfa15d9bbfd96117b64aff567e75cca3f251ace498f2de2942ebd0ae71f3111c380ae

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 01a500607de1fcb00803b26a3bd1b84b
SHA1 cf145003278e991689bd07b7ceaab5e39dd07ccf
SHA256 8c6617e2c369f0b661883e14870728550d31b369fdd79717fc29d781909b9b84
SHA512 5dc185b0402fe0bfa80ceeb556eaae860078ed8b49bd7662b6f409ee0350f178e08d614df9aaaff1690d03ebaf05c8bbfd3400749ea7121f5c69278f79dada72

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 34a720a11b83c3fbd3b96b2e11bda349
SHA1 6b888ccc9032a45e1fbc61b6a65f8727693e4c62
SHA256 5a3df3471c2f287d585ed37280e95fc3a91ca9a77e7de5465bda5d657bc716a5
SHA512 b9a3c36d4c307be3e37a777d9534bddbf77b389b72cdc069ab6242b8da097fb5d8c82869240907c2d762cfc8bd39b3ac84df7b466e0b003363551085bfbc94df

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 eb860b7b2555e98853d8287915952664
SHA1 8abd51ad66325f5f3fb7d02f4896a9f89f7b4360
SHA256 e2b9d0c19fe274131c9998197c5eb31d44b1308a72bc3d86774abf930cba92e6
SHA512 2a94bb69ca11dbd27d7ac938a02e994ced2d96dd4a1ec6e3c527a64671d58550f25bf9ee4868e45fed2ffdd4c54164fc6de1bdc2dd2b6495abe6f41aef580a94

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ab0c24d532e89804927efa9e6aac988e
SHA1 d1cfedca9670e3024a3590edb8edd5ceca6bd8a9
SHA256 592244de3ad5fee112d0ab237ccf354b83fa8c9a768bfc7c2ac838a126ee76c4
SHA512 f46e492ff9f5ceeb8bb60c51b3b886efd358090642130ccded1decebde39cd286caf0fc94df90db3d1e3e3f390455a1d6988a8d06b1c6b241b6346122d8df559

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4c649e0d352709e798b9a7b029efa2d0
SHA1 4e05d2713bfe7ca39acb80051d8c1f9727845aa6
SHA256 6d87de33a3710bb44c8f52e891a68890089e6dfe62f34aecc9e9e9d5caafa78c
SHA512 a31027b6973c69982dae1fcf47a6d6079bec2b9b6184d091e2a2b8349a4b406ff16c97e762ba6b269c9a29edf4ddebea442cd0673d18d125bca2a9b4a054d422

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 de9c3c39c16b4a47b32e04f49b7229fd
SHA1 c1d61c3e01e1bd2ba360d8db2f308713ff3c2470
SHA256 9f535b0e76e539ac0cd5ce28c22223eeee0a5b8e99198ad5d2d39f4fbf8ee43f
SHA512 17088bc3cd361f13bc70d164420287fc6a47c5df53fc3e361307fc3f0d52db278ee8c0f10ac79a845307abaf13fb1e9340ba848a1b3e0a754fe8f7262445b3e2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 883891cbce8e0812b5b4bcbb5cd4e2e3
SHA1 56f657add6414150a75c1b82b10467b98d4119e5
SHA256 4f31bc0b4841ce8dd011b221938eb58f8a8f8c29af473bd1049f06bdec8f2e36
SHA512 3149935f1c4c7ff188c7905f3ff8aa7847ce86460fcbcf168db75c8abc85923eabfdcafc577fd78df1d7f5bdfbf8c0800a42e5a0e40abef44aab01be6461aba6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e36857a2132d9a8fa5857defad0ae4d2
SHA1 6e8ea56f6fb99c7f077f1635eedeb2bcf4ebd44e
SHA256 2056d8fb83a7941b6caac98b4c50856011a8e86483775ec25e7eded4719b68a4
SHA512 097460d14bff0486f1081eefa92fb74ea597c4303ddf44e6ac1b87650a9f407a660d7e044ce0e1fb89af2575b40ffbcdfea9653a7687dfa10fd05a13f976abed

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3e2f97128a32addd0bfe2375778a3688
SHA1 c9dd467bc61a2857b5685911678fb9492a33183d
SHA256 dc1b351ddc6ff1d3668a1c8edb749987040f35ca0e5def0ef7b1040f468452d4
SHA512 1f608d4116fa54b179d81818cd082ea90b457e7d5c6c87e16292f888dea792cfc3b761715f93f183eb8af36c6d0173e5e924070628e78f4eb9014af37666f229

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0b14e83e40c341b0154f4e6edd03a855
SHA1 8dc746ce7f971cf571b9f8bc6bf5664248842253
SHA256 75bb27f09f71d1ba834fdbe7b8b0204837f6223aa54fe5340708f5ced94bea9f
SHA512 e1dc1ff7d02dcc3857ba7e79a8358832824ce91bc287d33dc0cf94489fe3233c37d27e7678562369eb2933384732d7f3f1a2e31b910257cfee83420af1b11714

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6e21994e727d87cef4518c35ecbb343b
SHA1 0a9d21706897afb3247163a8fb58692c1228ea52
SHA256 cd48a682cd713808b24897d3f051fe6fb57a129202e7a8de5300829068ed479f
SHA512 4340490a2b3435ca571f4ce68a13e4efd1ab644b94eabaf66dc10bbe942df0a0801441bd964e5a50f350c1d77ff9b598b56745cff346aafe1d950a5d670f05ae

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8b8e901d206a6f47c71ff4938b3d9419
SHA1 8dcb7d97bcc2d6cbb0fbe8d5a06d824ad5290cc2
SHA256 0d38096b08e0a7f2b51a6c2ad08304a92bf57a3ee4f612035e613a40ccc37f9d
SHA512 2fe7230daa43ac4170ebf4a6408dae012ddb5e4780d7fcad025f74a6e92ce13bc2604ede8f31e3aac1e072f2899599d9b000495535f35ad411efca0ea027490c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a252d8cc4b156eb4ac016787409b8101
SHA1 35825af4807bbd683608d6f267e290c91693c93a
SHA256 ae874aabb3c0f66334939e3b1ac55267e724a9081496fc71cb2e3f2fb2a63318
SHA512 4f66a28cd5f690f8044fc352d6e29dabd3af4ff4331beb03196f2e4960742894567fdfc5112225f6d4a312cf8f8ccc10016cc96a41bf8a1305891b1be6d00c8d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 42bedfbf06285dd82455967fe414fff1
SHA1 814585c632885e0ae8d6501b7551620c8b585136
SHA256 2e6be6c091ed6caf490964af0c6bfa2d16cb53e45537094b482d01b32e8d9715
SHA512 b3cd6d9ae5a6b953a62dec5ccc4eb6aa38c17cb834579aca250aa2a4088406a8fa36c0d67846027d9ad6debd7167cd519616da8a2c18ac046ae510296926334a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 74f13028cd78e528d09498f42aaffb6d
SHA1 ed371a4f917b5c41e91b775b52b3ce921c4d2ade
SHA256 51ca873f094e8ac4cf81347424019413d2053d588e87f0a6f7de0a06fa7ad5e5
SHA512 5a9262ca6ca16d21fc8b1ed15809eabccc59b56723d7bbea66672305e5647db666997c1e5c8f99cb807d76f8ee440409ead0956ff07c581056cc6290c6c77de4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 11959f6ea048a1fe5b616f7f7436b0df
SHA1 fc0b52cd96e0b98c9403acdc8cc1c2ceb7d79ea1
SHA256 21092a3bc8ff9859211b039f5092e6046b6536fe8b46c66d072bfc2f1ad21aca
SHA512 85d4cb066bb3683c842d3e475639bd1b0212c0bd9cd635d89e39cc43078ea5fff3a29aeb8365afdefa72108d358f0d9c4a28713efb83d7b753a3bff973591e01

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b085e0fb6daea4c2cd449e5e6cec3f66
SHA1 9a39e340ee288f7e1bc297c8617bc47d24e009a8
SHA256 04a39cb864a8ef207a66cbfde414296755eb8bec9279028b472d7f068b0b7041
SHA512 71194f142d0bfe6612aa948d5090dc8e63bb7b59e19dfc973dd35d346128900820838ab84a83b69d20885a31317cffeea19c574166ddf25e6b8ec9d985520892

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 516fe4d3f953eccbe93fb817da10f17e
SHA1 d088ca7e93d8dcbb6538556cbc19a20275ea845b
SHA256 52be8d834c098b4334af3c5ba52a4a094bdacc6be88fe717231214cb84339774
SHA512 fd04d0dbda3adaca6023178e30577e5a61a3cc4ddefbc74b912a1ab97a58cc07f17df68c055b03d26fb365867fd1981d97ddfdf53bc5bddf5f2f79d98872c4f5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3ebde48713d11397039b7c22f68d8a7e
SHA1 863b0a214f148551e92ec0c58752f94a78d9a051
SHA256 78c7c75b7f3b7a7c2dfc2c0409ac3f2bdb13a59f221b66f966e895bea1add517
SHA512 a95e44ee285ca63863ce28a50c6a9d269d511daf9f65ddc04f87353b52c0aa5d3f7f799c9b406662b784300a6f4dba7162bdece48e6f8e7d42a883ed7d2d13c9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8b0572f90146e4752a82454baee44afb
SHA1 add829c593bc375e2a9dc27fb5b55fc3a3727e12
SHA256 642f2c9501e95a80613d37eb3e4ed012a065a5f3e18122d48ff46b7212d327b0
SHA512 6f19381cf72b140915cf5af2f6d3503941c8169c4e4adb2f688f24cb52e19d0629f4b162a80967846a9139a76e05082aab5052f1f8e77074016bd15a4951f00a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3920a1949047248b76f8d7540cd319a0
SHA1 aa70fb465ff9c67c1e89c2300b6da3b76e32b85e
SHA256 3baff3b5a4f340912ce1c4c361a0aefdca0a4339119939301402f9f9a3629a1d
SHA512 a216c4657d94a0e91b7572f3266b8567a063b454318c8bd045cc5f6c8d7e5814dcd2885622bfb0ac75f1eaaf972d4f0102770b199009159a58db324723c42425

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8ed4161005400ed7ed8a4f8b5344b9f1
SHA1 0bf1068321ac2ab98b8620c88d780f6b0fb02630
SHA256 2f578dec08c0ac1c649a115ad376ded201f97461dc823efedad87c115bfb1950
SHA512 376ff946a9693c71291631ad4fd53a19242d71443bb54c39d38fad947ce0d840b8b6be5fc1ea2d4b62561a3fa22b462f263775b9075919bb76d533a9f0a432f1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2c80d79ab1be29fb350f4514b52879a3
SHA1 805348c77e74afb5754d3ce3715ab7277466bca6
SHA256 84a814fb07b16f4ff83a542caa685206478908d8edb3d8f6f844c6f17fdac131
SHA512 336188591cfe5424f12a07c4d3f431b57263274ce877ab3e4ac51886781ddd3c58a400844dba165fde7d97eed58836fe830b6bbaf4ce7040390b69f606d946e2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9f8257033d9787bc43b5a620681088d9
SHA1 b1be3e755a5af07cc9fcfc15f6428cb7fa094c2f
SHA256 20d1e235e21fc31f6991b3c7ce03d59742e5f4d369e2305c80704814eb68f791
SHA512 ba57e4facd9399ef25518fe45475a0c052a2d1511e31a2fdc52f846d6398ce7446f488190acb92c4344588ed5b4371d44c8040d0cad99bd56b4ccdc1df2edf51

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 392162d1df05b63c22358a2abf5dcdbf
SHA1 c4be7fbdd3280a9187c38882f794f0156b4b3abb
SHA256 971e79c57c36f33bd7f261cae992d64b96a0f4858fe99fb34f14e6c7409d4ffd
SHA512 6c132e47f6e7add9387dc0a1e14d8fd2146f9153cc27eee462cbfa79c4c326b3f3811cdad39098f61dda4fe442ac54d67a54aa193577f4ecba4b56817fdfd38b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 15d71a331e902808c5f8db57433c4f0b
SHA1 cd74a83abae834dda061de4005dcb1d89f4e16a2
SHA256 22a963ae18b9b881ad2a2253f08acd91805d261a687838802e2e2a88f23093c6
SHA512 0849320d4208836020432371017e99041a132d5925c5caad0de82ec261f464620997f1de4184ad3754380574ebbf89ab24299bf06a1d43ff8a5c6c734fbf9246

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 813dc15d21560b40ecd75f64ff410411
SHA1 2cdfb0f466e49c0d8ddd666992cc1401f860ba4f
SHA256 9b03487bf5c821f1f57d8044ba812902983250a58772546e2c1cb43341f224d2
SHA512 c14f2712c5fcd1b1b405ab02db46241318e86267c546da4a321e9ca09d84f4f2bff9186e27dbf2a1eddbed11356f033f9f7457ba077982e03c3c218aaa24d88c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a395a7405598df6e0ac929d039e9cc8e
SHA1 543a3404c0a536096a137983736c156bb18013bf
SHA256 3fa501a1d64700819bbf4bfbc6c4308ab994720bd5a18121e0721e9e30242dab
SHA512 c4a958824a797681835f75bb327a6c0273eec8c421525af68596df53d293dd98ffe6ee11abc27f6be7852282ced67ec2dadb1f8ef690ebf0a612a960e4feaf49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 145c592306a3b32f407093287d59cfea
SHA1 3d95ecbda925786ea54fc82f1606d7389a6430f4
SHA256 c49744f3cd1bf964cf264037e6c5673602b06b742310c85e078a17b94db546c4
SHA512 20ca8509660bf844f47a426526cae25d3bd4b3f95c42f6681fa31cce7a00382eb2b9f27f6854728c3622e65463a916cd38bfd4d9ac24392694ba2645fbbcfda0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5a75b185006054d28b5d30a12f99a2c5
SHA1 593ce3ecdc789f89222af46c8732fcba27edbc91
SHA256 91da15860209e746325fa413196d978d6fd65d3fc8b5e002872aa65245b0b180
SHA512 4057756777e386e74490058cad0d304a330f368650f36a983c364a6a718b85b2bf206becd4996351b21ebc82a7195bc1646e27eba99778cb0c062f88a6c85afe

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 877796ffdef8c233e25fbc138c5e0320
SHA1 b13fe9e520417134eccf2f6a3756b61883957f2e
SHA256 ba69e399079fbf0c17a56c4f444b194515a9213ac0fd931645e9c693f761afed
SHA512 59114cda5fed81af0a82403a6d0e793dba6466d257761a1950e454da077e68e6c72fc82325abdb64d7ec9471fa577f1bf3c711a54f60cf9200a4cfc6fa1081ef

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ee994aeca1ef7d1533bfe21f35812795
SHA1 fe0e88b85debf95c5979d2bf9e0e87ca81d2921e
SHA256 f52ae25959245fe8b38c7c4c59517deb051ce5b92bc61b28ecd9d887de36140a
SHA512 7e1f16fca94760a4d5785bc1155bcc74b5f81eb4050209805d0341acd1d7d6d6728b279e1a2e103017c8b39e0efae203e43eb5226e19f581006e793356464575

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d06cf0cb18c1d1cacf367f3286f122b7
SHA1 2284eb1b34a6e21700fb9cecc41130de47546e50
SHA256 bf0fb93b88d2b3586b41dba1c3e51bf86cba3e3e0e17b4d666bc20f805cc0988
SHA512 2d04b7b5a6cdbceccc8f3cec1a8d1bf5a1d35790503384f5f1ebda2506fca3a1fa576d35218a8bc0a7bc6ae52abefc681d2e6bc9e9e20fdf207bfd5c8107fe9e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2845fbe5df46e49ea23fe05e2a6fc874
SHA1 302ac86c75b46d029a6b6f40cdbeda784026a56c
SHA256 acca57356c81323492b646da201f45bbd8ce63aab65e6c64d79240c58a40fad1
SHA512 18a2b6b6ff2d400a3f4732745e3dd292f22acf9a998961147b05c0b504ddc63dcdd5c6e87a28034e0c684ed58066beff8c29b2758bd770e85371fd237612ffd5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3eddd4f35c2b568e2d35ff12ac2320d2
SHA1 4d8074e8eaaa5f2fa87099f7fc6893d350a8a52d
SHA256 47b98ef4286cdcb460de845a7c493d62c98163e4a6e94dbaf5ba950a950e9428
SHA512 49945cf63157122bcd7cb480620e4d45e26b2386fac195462353af2d77b96beb0f8f78fcc63e6e81ef14b650849021541c9aeb1e202291fc0669d23d4b71c703

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b6ae1b23e39ce272171e73024a37b943
SHA1 6836640c21c94e7fdd9bf2df37b7b07350a0dcfd
SHA256 8f3c8c43626190143bc364fe1999cbfb607f8a78b7ae5a2e7e000e24ad581524
SHA512 8f25d413accc6c0a8c385e2cd9805bbffd887221238bb8bb8cb4d95448100257e50e349ed9e70cc5f5908b5fc7373900d6def59056fe1f610462d5da02e62ebf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fa06b26d8b2b0fdbaac71b9e10a757f1
SHA1 d824b244663add3912867b17bd72c28841bfc88c
SHA256 bcfd5a9323435db7996f4d74fa4e39ce69557cf37decbccec1bc2859d48f03ff
SHA512 b8291ab9ffc33b7f049f229344a47a09342cca2a5fdf79cf3de8d40e56221efd70e0d012cafe1c5af0ae8000d36858e1e3951cb4a5ecf5c3119fc27cd8459523

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 891db8f32b21c95fd57b973a6fac856f
SHA1 a20381e72815d239db1288d6407b1a262a2ce95f
SHA256 9087c1206b1fdd516cf8ed9a418be03cbd1015062f8bc95fd0826cb02623e8af
SHA512 5dbab2641859c81c706cf9ba22cdfba5fd137d07a888292ad69a6368823748994ea1aa182cdf67e048384513b1d4d73171fa209fc2d8edcbcf2cce19f37f262f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0a09dc79b69f0e7a5b6ba88a4647cd39
SHA1 ff7eb0689980da1a45fa7809690a06d0ef070601
SHA256 8e0f805473d7e152c3ce2a74ffb77464dd7e34b55c488da4cf5e0384a552e16f
SHA512 b06060e6e6e033aa9a2e9df98bf0dd18758964871e1fbfcf303add6175ae5a813d2639a3811704b59db62be2348367c8b4c7abdbff1559dc61108eec5e595b36

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3a994a8bc08cdc5646d821994520c98d
SHA1 8775b39194540067eafbf150ca16a4ab6c670a1e
SHA256 0ec6f8141a12bd54c872327e35b61e763573c8e6ba97be7e539d6ebb2926c52c
SHA512 a6ce2597d1e3a2579016768cacebda06e16b897de3ada162b13c0a34f93d491e1b8feb084a4f367d481de476fcacaa8c3d228016cc49ef874f8864bbc699adca

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8778994fbbb6493b5aba747fd9e7b52c
SHA1 092b0b286cff0d48a016e55735c4172a308979cd
SHA256 c386b2d721db46fe0ab8ea24ab35a2bf89f014a6768e07201dab5ac61ef7cd13
SHA512 5f18f6dfe536feec19878b2e86c8c893c1ef35ea84046d70554c0dedfb02c7d858083e02c78a9734ff190663e284c30000c76c030fc861d1c2b0f89ca7e160bd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d93aeb8ec3a8f209438a56e7fe762b21
SHA1 5f57954ab05dab516fc18d962fa8efca71a96fcf
SHA256 4c04dee586698634c946ec130c7974d7b2d1986fe368369a1f7d0d13cac0aa5d
SHA512 f35d769acc8752d71704ef56a8a082eb2d2537ebd1bfe1807934bb4a98aaf57e6d8d15eeb62c31de8b09c583a625eb3e17756644a205e49f3b61728bfa16a9e2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8f966a06ee1087f589c265f6948d5741
SHA1 68fa39fa612c786cbca628e97fd9afb8b824f7d3
SHA256 24f11b1ad8ca7827cbd46e02a6173c8bee9f323337c8f40e58cf1865dd13eb41
SHA512 e2b790a48ac3d67649c05a261b9029441b3d08514d2e9609eaffe66acc04b731fab17f76613a1ffb163d9304d3e8c8fff4ebbe9fcf8a252f43516553e1a61ea2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6c2a9007f774f81a44df8e453b7032ff
SHA1 22df12080594a909d86b249de16fae2b9847ef5d
SHA256 e7881f3a8263d11d1b4640b5edb392ad719239806da4455ece506e31f6fa24db
SHA512 ef55df266e649359859ff10c9f39e343b66a078fa21c29cebb78e9a6c4ebbd7d531542588c01a81f901dd13e36b2e07aa7c6a09a87f38b51d65716cda4913c05

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ce6dcfdb285f6a13ed4ad919dc297bda
SHA1 7c06acb712b023a15a9ccd3dae78f4633e9b0e37
SHA256 430da50a35b404bab734eb697be14e62616b91b78bb8b444a6603dceafa6d2df
SHA512 56a22428c071aa4c2ffdef0721c82f1caa431863164912ab3a293e943a352607f210cca4be6b8c094bbf3d0ff5f52bf8eadffff32b7564287794c9837cf68b01

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 71befd642c6b5d6360849a4ecb343511
SHA1 ac3e494ffba341b9b25b43a2b78319f346b668f8
SHA256 af8aa9cd2670efaf8bee9d0cdb70bfad0c8013edcec67d4954f23751accdd2d0
SHA512 33eeb13077da954a2e8feb2d5c536c859654bcdfcf4bf11606f71fd7a8ee160b4d5718818d3d9bbda4c38328d50b01955c3a364ece2f2d6e086771961a73edb6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9ce73d3da1f276e79fe600b8b96fd6be
SHA1 45793268d1b6a8253bb991e3a856d83b9fe4ab7d
SHA256 5d7c34cb71f8c77c09db5932dce71f67e010801d9d9fbc71a690532044974e1d
SHA512 1fb0cd43c2788fe092136bff019f1918aa0fd204a0964b50925b5eb93fb19496032b9d5f25b1a4eceb83b8cb60ea370cae8b7dc251f180b18305a4d922f27267

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 efaab2744b39a8474963b77cf6b757e8
SHA1 3147bc9ca08a0677dfad8bbf9b1b839ed76be9c5
SHA256 a7c6e6c8f193a67daa8f78317bb1bd858cffa7ecbeacce91b22ec477f00a809a
SHA512 430d654371bbb2c2548da4c5676728968c401a7e4c6ea4ea3366cc5af5fdbdc65a36f8488164a56e2b9a87324e9d6374d36661d7a8603bf1c057d9957ce4c54a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 745af004441aa04aacde704cbc5b2fcb
SHA1 0ca9a080ea851e4a276d6659799c0be828c9b1d4
SHA256 9b340997223172c58d07dd9620c392d21bfe09c6fe4d975c6090097bb9342d42
SHA512 d15ab178cd3ab1f93efa99f642ad49677e5ad5e1bb39df9f9d1d2626180b20f3d7803cfa3b2fa4d4bbdd7c12e0b94042d5892b33a98f0e67fdc53c1232073308

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4669b77755be2ed519317bb9dfa90040
SHA1 15c9e3d2fbd60e4685a20ade702d3d8ab554a711
SHA256 bbc4974dad011ff5eae0cab65b007cd4d9ba4be87896aff102ccc69dd098867e
SHA512 afc202568f95c41a954d69daa086300d83ae7eb2f871cddc8ae347b080e3861c128fabf4f85f0b724e607e2629e6e99637152a4bb1f4b86331c7544d3acacdde

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b5f2027fefd3ebb03bed5b32dcd44cd7
SHA1 b1ffaeda99909eec71c97c67b4d8df3cd4306962
SHA256 dd587b926a05b12a3de86e487cd61d2622c4179c3b7232715724d5c84e1cedae
SHA512 3baea4b65f97f50e06322628bcdd54d828191f379b9f10add93f939fe819eef712b1e674f9c58daf8173e096652f8a77a52e6685833089d69e749ab2c7e5b7c1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f2c5aed04d44e9001dfda06975939940
SHA1 3307196354fdeca3ac291efe74e4a12002cb7f99
SHA256 8122119c6e82dd2466d7faddb497f5e83b90102fbb9d808bb4d915fb71c3e574
SHA512 643ad663c22d32f55af69b3cde3f8813b02878a04c68e307bbe1331da8f53aee38a7f982d6ffd2ab641b2133434090baf45671b0370de455eef6bd87a1200187

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e9d808c7f6719e419e7e570ab681991a
SHA1 af8a69c900aed0e8fa948bb63eb1672ca5499512
SHA256 ddd13f65f986712827623e1f6e57890ff1d1994b744b4009afe4ea8535ecb537
SHA512 78bb122aaf6a6db1ae55c762a8d13231930cfc1f5c82d31e84acca4ee8fced3e36168e62d32acda0adebf71e9894e60c0279ac66f96d76df9671225ce1a2d0e7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c0656b4ba7cf54141858ab24cf43d60a
SHA1 e5446d8ff94515ab84ca208bc595a346bc6e9742
SHA256 4b8306ebb2b6dafbb1d5791f9a6d772998e0ef2b6d9ba1ac3fe3f7508f7e0194
SHA512 6a013dbf0151773836bc94f0774262740a92558a49f14143a6431bba42019042f9fd3e081e1df9d99f2e2d61c664e3787c44afb3419afa64a0436bee02e1197c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5d15d9fefc553a7fe2caefb72fe8e5d3
SHA1 842e767bedd00dd232933871f2ecffcb0a28c13c
SHA256 52d6d8187d879932ee6866fc7cba4cd40ae17f517e09d9fca42a24af4084f8e6
SHA512 f981a306fad63dec0d2a1a9f0b35e5bd1cf43fa48d32dbf91b40c3f970bc1148d3f28415682211d1b60ef0815a5f354cb649692f399b97fd4bbad20cd37c6979

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 83fa24594503b958d266b3a83ad1d79f
SHA1 df2ef81ea9e20a16c0d62f98612cf18be3632646
SHA256 e2b0d582af28206558093ef4b844d22aa110a61ad9f47bfa6899d78ac7014d0f
SHA512 106072805923273530eceaf268c5aa10c7a3f09b7ba03585921db9002ea97e00d83d7d1b9f00f78130c4a10103e0f8ad46ce3253f4e12dee05c460200f8de969

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ce495462022f0ed55ca93c66488d9007
SHA1 ddd4a02bae0d45a45445a02b237f71bb24791fca
SHA256 7932bd1b4ae8c1172209900b0805159985d298d1506c9ecbe6eb826e18cff53d
SHA512 56034df8a45f531cf1092dc94c9227ddbdfc4f18a6e928fa62c07f3bd5f08bd992788e40bfe7260625bbe0a2d39f6a201af84009e84c18140f768b847b70f087

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 aa3376cb62ccf62bfb49f389bd0dbd88
SHA1 0bf09248660ee936a8a7a575b4f89876576ac8e2
SHA256 0ba173f0e903cd83274ffd04ab0ce213c34deeb2a0f202f60287eb4121e4aaf7
SHA512 80f7afa2db591d9ff6db0060c3d77237513209be66e5edf106379d044e08d69c93e9f8870454d147cf8ac10955d37192ed12f3d4a9c654c0f21bdb4c93f0dab5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 83def2f8f29d972419ebe053be017bdc
SHA1 7152f503816cce77285a511d7bfb4a1e6894d6b7
SHA256 7fb339ca1cfc8b0f3358bb065479360149b1850a3564150ba0c846a976482c03
SHA512 d06e96f6f392f539b49685429880fafced63a49af70e2daae88ece26cc3af98a6759248ec1e439cba77e86a88b267fea08afd304ca9a5e777e320db39c0b9daa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ae44d04e0d76a4b145465301382b7be2
SHA1 726f105c6afac70362949e5aa18bd28c9ab58fc7
SHA256 f99ee4a5c5359184a130971ff34d3f84618d35853fb4183ef09eca7d7f1367b6
SHA512 204ec51323ba4bbd9b3b39e2d3b5e9f2be2271a8b796d08af28c08796021480ce207db3a529f71776286d12d70ac5fdf7f64d32214c25bb22217d9545d946521

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b568e7a7154745d6d5db01c8e1f6f5a7
SHA1 e8dacd376f3f130a2b919c1572111ba8f7e26ea3
SHA256 89343b5570b3316c55fede11371196c6a99cb5f253779878e9de4bd15aa4e53d
SHA512 4ebdf1660d854c9f91860026af04e637b869e491cc5b7ed52ee473d2399d0ab7b1b6066742bb149dc5cf4e84d8eb2bb9c256adcb3389e18a4c4c4f5fb80edbd1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 631c9f6586260406a9bd565e6bca9cfe
SHA1 cbc831b815c9e3f9a981882c73397f58a8d8a5a8
SHA256 29e8a12facc6a884d1f10b4854003fffb982f656d78a8f87d5d6a3e3b037e137
SHA512 0ed423b954a09c71d59bea0be3333d170ba7024b15a9d4a0e0262ca0ee45657f9b887fa104bcaab1632b3c9ca1c28ed8c719690d59b727bf7faa1bb687a0595d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 77306c177e30d502889a3d360da831d8
SHA1 eafdb2e442005ac10c35707f99769555759f3c50
SHA256 b08a440f35a13a01c37a439a7b336ba757719493b9fa451d573f344b9bcaf5d6
SHA512 f3b4dd53b4acee3211ca4e595849d4d9f77164f1ba9c62dc9d6953058604e4b0fdbc205263e5962486ce0e18d4a626165b37f6a6febc21d04b67bc4303b014ff

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ca44589e0db5c7fcc80f8cf5a20c79b5
SHA1 65e909a6ab0b5db3c5a3cc60371012d2df49247c
SHA256 e264c9edb900b2ff69972520b91ffa96355f7236dad3ef40988e819d525c18d4
SHA512 6f9ee60b959c6c2c1f582cd4356abd1761c03fbd08b265cb49c88c30af3b4f2139df8c27a91ea717382b2d7b4a231561437efaad948d8060da7b42cdefa7f1dc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 00ddb42bc979a3a010b115d18d1ecc23
SHA1 5f779182bd4d7ad670705b636e431723eea7bc2a
SHA256 67fc896431a08d67822e081d3fdf281276b28c5b99dd23023c648f0910f3959b
SHA512 341b4f26245129ff57a55c09bb64019dc88ec6ffc0ccc1d182f25f7ab7935327b1301e9c881901067b11e3ffdcf89ba33c7e8edfb00589c841bf3f37ee1ebb1f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8897d30f6e1bc356722de51b57e52ddf
SHA1 7075faeb5c7a8640004228980c436b1bcf85ef3e
SHA256 e1c982d1f76f9e4be17074b1c0af921e45f2f6595a8529246e3a6aac6ffa6552
SHA512 96ff5577b9c97a6fd04f980aee88e2b1e38b4d697f12110c8b653b02c7331f2d9ee0b023d4200107c58d7996ad414c1fbadb5fe016ec7bcb33676789fbfa8e51

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2746c81acd11ee7b6521619b55533e45
SHA1 794224fef516b82ff710010a581f74582efe481e
SHA256 f865ca2bc2b63d6f0fa23850301814521ebfbee8cd220234b2f56720927cfdec
SHA512 8584b9a59a5ac14ba756014e08f385a98f0cd025b029e2929d37dc8b44683cc1ce5b4863c3bda0f777caea0a0dec683738c2db978c6152bf0f52ba4c41b683fe

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 16a756b369074c0044ea0a82e7cd791f
SHA1 7390a2402887f865e35bd167497b0a61ed506ed1
SHA256 5ba961fc49b1050cadd9dd33e11b6840c191f5ab4b9890153f90f4d2aa8c55c2
SHA512 ab7bf836dba6cd4510dfcc90903145fe176489cdad9bdc87a6e9b8d1ec77838a44399e09fa52ce73253eaceeae0066a6e54b27d6f6f277baed72ea953dbad07d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a53d1bc54e8563f1c578cd0ecec2fceb
SHA1 b9d65054b59d1226162f5ebac6ec2d57aa663752
SHA256 6a00ee9b88ef2ef4877a38a49b25316b32d9d354f64ebeddddb3d98ec6696724
SHA512 615969861bac002961d2412c4d3f4dfe3b7479bfc6f19a7e2b4e8be57c7135b3ba12f4435ba1b884a7a17023d904f6dd2fc03840bbd8164695305398fca18242

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 81d9d52fee205cdc2732067c3dfd5f52
SHA1 5093ed1fe1d2ace13aa02a13b86dd7e223e350ce
SHA256 c52abea703ef00bdbe3977e9315a97bd6097be5289fdc58b8f27d8bcda10e6e3
SHA512 868a6f4a4bd53c191cb662c384d408b809ce24b06fa81a55769b7f64f80a6519503593a33cb6882c7a8e38829e8fbceb562a3f1896f0f035c212071de431be2d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bb80ec47bcf503b1f3eb1322d9d760ed
SHA1 b1998f095cf2befdadbabfdb3dbd1f65382fef4f
SHA256 42f8bfb308100354dfa6dc7fcb1a096121791f0ea6470efcd869af1c67aa88ba
SHA512 9056713e65a1381f5ff99994556fbff6d62a49abb60e3e296a884a31dee9daad1ea8cd7f8b31038cddd88774ff71a42c1fc326391a051a3e235714791d151656

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6b87ee9befc3e83849087b9e06bb1177
SHA1 83c9c9c867fdcebc1667066a01dd5fa9ba6305a5
SHA256 1b24574b56a05d5d7358dc96a887b81a6a1cecffd74430edfce377cb921d4628
SHA512 e5f8b4607acfd0e25be78e856ddee13c8abc5d33f83c68faf24f307eb48e349c7b8b0758e9764137b15224d0511f7b329490b2fdc519fea32148308ed9b9dd9d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b217391ae12c0c2e79e258b05f2c14cd
SHA1 2bd61b75ca43e5f9d02d10e0c385241823f27454
SHA256 2e99068444702f9020fafab8dcf35e692fed2ffafe9f0c0da055ce1e41992343
SHA512 5afccce7d43390227ec2e4f6a7474141cbaf4415dadce5d44deea4ab7899237067f149512da9b4ccc5c3aeb618fdb13bb27ebdb418ff1036c6dcb394aa1f2f49

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3f612e169260f74885eacf44d5e20e69
SHA1 4d0ab53ca1800b50672d4bbef1350c6b9a0e8eec
SHA256 9d7127ddcfde444408039d22382ae3a126ae3736264c060ae92cd773f29147dd
SHA512 5021e3ee949bf48522a8077435ea35bc52026d438b73274c86b26a1447f67499c830c5b8bf08468dde4e5c5dfa60921220c8d2a684de751cbaf0c2a8d67d67e4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f91af505d1ca85c5ea4fe0783093d11c
SHA1 1f80e00586902e020e7b956e6bd5e0d100cb23e1
SHA256 f1bc21971dfd1324997ba82df1fae1c87fb5f2b3a00ca8abf9cad5208614c06b
SHA512 3c09fcf571d825e8bbe0efe59d64675823a85669b9a8d7f54ccf03c0af604856dd2284235fee2a385d839e2a91901bf72e35fb779185d41a506756e85bfdc636

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 95b7f8b93333ab475c9cb528eb45d2e4
SHA1 4884a4ab281873d399afd3311715eb99cfdae2ed
SHA256 a6d9adb3f7c72ace7ac9c4b898f23e431f8caa5c505587fa8acd7137194a4fa7
SHA512 84bbf7e75a4fb95744a0ca12f107ecf8a1740a6f18d0268fcf2cd160d167c0107e052e830441549647540a74472c7384f300e8cdfd856acebdf1813b2d650134

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b95ad5f6d99307ec6426ddb982dc61a5
SHA1 20fd7ca42a0811f773b38360ac4fb89a23b79fde
SHA256 7032032c9803f5506df5a00fbf436405da7a82847e378391cfaf4f7630623659
SHA512 9b1437fdff4c6b05535a094e917351ee52b965b31630c77003fd637f82eec6e4ea54d4957a4fda7725baade78b289c78db193a8d8bdd51442a5d7ba61f664d28

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c719da7a1171b7ca92cd73215caff95d
SHA1 0a8082273892ccc2cb45b4dd458d6a3c280125a8
SHA256 417d1fbfc057dbfb8746aad59e8f88588125e3d8c63b5a1c1013d3ab52790c3a
SHA512 205dbf66658e5b68f0f5881f1e43393790bda41c58916ec90d2b1ecf92513cf3dacd5a9f6d42ca25281a7338635a72955e6b060961775d9c6eace938b3bad630

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9b2575cbcfe4bda0b88c06c37dca8d06
SHA1 0a5b7f6d4dd33404b54a5d40a32b965977f9cf89
SHA256 45002951502249e8779af8eefec333abfeee2e8e3ccb3ef86c500c6be203d7c6
SHA512 19e66be7fadc19f16f7a1817ad1a72a3da3760a6cb771dbebbe5dae3c0ef42f0a63e8f01cbd476003d188d990ec4044f2c4d25c5968ff6b00ea042a173950a09

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 69ed52f6aa3c1233af2a0b51589f667e
SHA1 6424ee0c53d91b090c63f2657f143c0ea5b1e282
SHA256 c8697560d9310db515a336f9104970a5e3a4817cdf899ffc35b6a5fce6d41d4c
SHA512 a7bea22f10577e5d7deab01f5bc8bfcefc24fee3685a125bedc9283819ca152050612d130e85b9d84c2ace731800dfe148865dcb619df0a90cd8728affb5b558

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cc10ba887a80c9bd8c4d1aa0a479930a
SHA1 d138c78c800c58c831df96effeffdba5934c947c
SHA256 763cad9edbeaafadccbdb2474d02c7be664f1c23e701c63fefdaea561b594d49
SHA512 8ffb5bf51a008673c11e317ea81be996666af3e01f86164c38746cf05173deb3954a350fd755dc1f0af9b3d923b475612df023bb9cddf4c9f7aed3236c8be596

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c3af4a5e860636d287fa97b1afacfa93
SHA1 d2e735cd87c89aa504d30a3baeaabcd93ac1c816
SHA256 83964396ca6722db6499461a37c136ce6539321962243757f9965416cac0164d
SHA512 2697e63412707ea57e6d77407aa501912b4fdf7b73ce4eaa4bb92062b8c84b3f9761adb33230e5fc06488ecb9c7c7116f2632ff463bdc3447e8a4717b64ce0cb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6fb85c9f56cc77939a950fe86b4a6ac6
SHA1 25d2fc10bdc03d7376fb8559cd9429eb4e740a99
SHA256 2cdfed03607b819d98b3a0e04d07531feb5315e44369fc930d5bfbe01f43b3c0
SHA512 e68886bf59a143374292b6fdd6774d99df4f5ea978318bdd081d460fd48732b26c35ab16b57dcd30568a61f959517d177c18c1ca85acf4740b92425125de7128

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4e005d46b6fdb414985af55eee094f64
SHA1 0f692871eb49a64df41fc80843caffe35f3c8fa5
SHA256 2ade7d0766469bf00d6dc619a14be5273a9a49fffcfe8fd4cde42312c9abbf62
SHA512 6fb97019dd9dc72886a10733fcdc674a6e2ca8565a6860114fb8492e3f0ed4a62340a2b8deda1d754393c0c2f8fd3675139669435c8bb194094bde5d774e6f2a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2b55f3953e99d8b8eb3a5dde5923fb32
SHA1 0d6b928f3486b0fb2eaa3f4fc29c265b518e917c
SHA256 6df55b8023f41b4db0042c0b7ac39837ca751203faa7b54ea9374004ea51ffb9
SHA512 4cf2fb96fef9a1564dcff316bc1429b833e9021451eb26a42c188c1cf2be8c8118cd3cede04893101307fa9e61a43744ab94d35ae24dbeea00c5f1b08342a6e5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1147669cd61ea7920d779fc72dcd3955
SHA1 17ec3c4a58edfb6d7cd303c33af53d085a0f8cf8
SHA256 4416a59b2b1752091f91c7493cf62bdb3c7bdeef500238d082ccf00ba1753771
SHA512 61d6dd147e8f84cb860450724ad1734fcc44ccad154dbc3f039f98500c39ed592b08995bc159773de3d677aeddefb1896c745c8de8b449ac5c48c4299737da27

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b27d3ca9dfea37c68143660ff2609896
SHA1 17001157da512018f45ee673e5541d62674ca1df
SHA256 1e10e2abfbd6af9545ff84d11132995a48e5d74196df9c74ebc4d58a8dd0b1b6
SHA512 9fb7676db7245188e0a1d31b6647abe12c223d13d73bbe1b80085cf05850aada0572d04fb5fc6c14e3c9336f13915ab01a458828c0cc98c24acf617df3cad673

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 527f2a8ee1cc42f1cdd1b04d82ab3fb3
SHA1 7d643705eec5ec7ee6fed46d02ce6da3369db138
SHA256 2ad5f302a63667ce2a9be5bf7566f034cf262212fe87bf0aae3d47afc70fa510
SHA512 79a86194a493db71348fe2b43f6d7d384d3a23658d916ba835fadc9d0eb5ee23a2bcee000a7d4993ce341aee79f2d07d16f2072d8ee0b43482e31f2ff7469e17

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a367a48e7d632bb1e85f5e367449bd4c
SHA1 48b4301b24435187b165951459d18ae82bca8838
SHA256 0ec34597503a536a32719562e8009cd077038ebb15a6448ef6b291c9198221a5
SHA512 d0a3b669dae75790b2090c0888226daf6e621b2f75372721c56598fd7d3b6171851cbeb8b416d7f821d3dc7c9e581f7c421366e41e5197bbfe5d14154a19bd6b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1572d7db9ae9d136ea7f4181468edba4
SHA1 4db67f78849cf8f9b2814b5d82650451a6c1072c
SHA256 03f38e0cb3a770e8a37f6954c7c93b4aa4ed69af5101bdae40e877afd571b6cc
SHA512 be0486d76931d2a47e8a9bd49ebe2f73da1adecca541ee90a2cc2d3a834ba062914bc2dc87394f95f758c687a3624343129c632098a26374842ebbd7d018244a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c32074fe9e77876a3ba430f6fb30646a
SHA1 e862183206fa976d8de67ffd62e7b7e27841d4af
SHA256 ffab8f6c8c3dc35857db42b597699e0d0976fcf946107f97b38e5b45097c69c8
SHA512 c1f2bce23010ca5349943e7c5ff519466f3377b8ac0e947a9d1543547362bce6ae9c083d6b9feb42f5363f469ee06dc0801b8dc638c4bfad17dce19c00d3f363

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21969e85961ee7bc4ce0564a33af7de0
SHA1 cc5bef7bbef9c7ec3b6ae8a249ef75b00c71e0e7
SHA256 6bdb14aecaa4bc99c59ff828c769c7d3b61c9ec3a54e89c93b252f3d498d70db
SHA512 c4f800ae30fcd6216a1976e0ca8dab36453a7207e8d6c1f8162fba397578abe309552c8accdcda5607b9c0afd61c908fa9eebaece3d77bc0e4685aaab22eeba1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 139412b960bf655e8031ba6f31545f62
SHA1 51c89776c752a3cf4314135482ad10411d86c105
SHA256 ca71fba0c52b87b0e6a12077ef8a40b1703c5e8e2b8f66d9b54dd811f320a088
SHA512 7b05f0afb670aaf8336df7967ac05e268b05cbf580644e718f1a160bac7ef8254f88d0995ab8747030167e06f5fd3d92c4980d753ed75e56ac09bf38e7f176c7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a92182d5a2454392037d13cf0d16ec5a
SHA1 56e2df639c560cb3f41dca4f7aa43785347e8c08
SHA256 12d5f0b1094853d5cd65366f9a045ec23e426e56d809fafe4e7b81074e1e6384
SHA512 a0ef29996261a92197bc31a4ecca9129b29a24604bfe5e4752955040d70fcca4bc034b92d46afbf8075089412aeefbdb45dfd15ad6c5e0263933afcceab36bf2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 564dce291526e99f5e23797f7833d386
SHA1 f4c31758661b95d04ad6c680d57f89e268de5249
SHA256 60846b46280533654f27c8700e12a3a67bfcb71dd50e2d822d01f558355b24b5
SHA512 5b2c1f9cc96bc20fc99df541189d4a64eb3e75fcdaa5df6ff237be5a856acf28aa5b4d35fd2acf301d7df0a974578c68c4937a9c0389c7f215501c2f2f428602

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 15a122f3ea9244c8bb6d11decc68b639
SHA1 f589460fdaddf3e7d7623a9fec8e8e0b0198429b
SHA256 5a84548c169ea734c12bee9aa90598292af2821efc4f4e55ad06af5ad87f3142
SHA512 f22d9e363cc2824f619bce2235e11b9e953adc1e30b3934dcab1780dfef57a16836a7e07da99c88421e0136407c0260762a725b799f065b9d7e1f50d240c1925

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 71abbc62abb66a010aed5e0c854bbbb6
SHA1 933eaa567004f01f28807f002e00925c8d3847e5
SHA256 cb03e12b5f36e37783f4936e8d6f9c3ae3e2cb660ca4bd9ac35c9a0a7849e763
SHA512 97b8065839cf9fe988cc6234205319f3965cea8735a4d3f61139257fd570d44c17f7fde5b725b634c0144d5bef0859c9a844a84e8339fdfa9baa1cf9816fcf04

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dea233efa09d60198457dd5c6d1b0298
SHA1 84fcb3b50c3699f236384264b8523a5fb74ad0d5
SHA256 e8c7d579179427538659672f72decde779493aab33b0bcbbb6dba49e96de2d7e
SHA512 8f1cb211131abd085be30cd7536b3f615658a9378e32729d47d0048dca90cee3f8cd0fce8e5431453b017a3831938154a322681aecdf7768785c4b1338391538

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 29756883bcefaf2fc56ccccf8ec86e1a
SHA1 0b1e69a9a9cd1c9f4927e987397815e5b15e6304
SHA256 19e7f6c18707d369f944fbf3e76fa56e19def85abcfea1ec356510a5ea0a7b29
SHA512 3f58135bf80367370fbca13e29e34ad2bd1545c64a221b77ecb07493395f41a7df9e6f10c029c95046b92408013e0bb096a148076d48d7379b8570ef4d476cf0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 945bb9484af7ddf3ab04e74913a16cd4
SHA1 d02243140ab0404fa7594097eeeb3f4d8e8cf341
SHA256 59e6d9abeebf46e9ae14a62a59b114367240634e9c1d735a13ee99265d950bc6
SHA512 547e107887709ddeedef2127a14fac4d4e7c9f2c4a9e1a4da8e6ea3502c391a598d716c5236295310c0af4b1292f2481f593d54f9d062ec37dd39c1282c142a1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b91326094264420a7fd4fc523617142b
SHA1 b18779feeb9d1b74677c0cedf0e52969668b2c99
SHA256 674f65ca21cfbf8c238b9590bcfa63799179dac110a1ca6604e15fa310ddc367
SHA512 4262b2a9621ba1541220fd08cb44608a9c50388aa071a460ce40065af7a54bb2ecea1155308038fe6b89263d52da3ab43a7f4c5f34953b4267b3252c70317ae5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e7026d5cd6d22335e65f062572cdd763
SHA1 9690c1ecff966bfa3b3b4add7ed07d38541d216c
SHA256 70bb72cb64c12b43bd850a27f001f1f6caf0c3e8d3a144817b89593b528cd53f
SHA512 5e97e6e629fdb37693ddbab0afb4430945728472e9a81277a82895d7937908917671bf9b53472d9a6bf62c1fb3c61fa8b1db5d5be0cf1bf777dadf7a02fda946

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 234b418eb0b43753bf44b25dc658a5b8
SHA1 033f790e7cd3a442357be70035b2479b884b4741
SHA256 14ae2d7750a87b4d8010c065d1db0e9e9ac55d0ac6005014f06c3c16bd306ae6
SHA512 f45a4abce0316546f7cd3617ce3d536799620aea3b79e70180b4e34e3e7c26b26d9eb854e71904401aa02370af0b2ea69ca46417277c439f567322ad56fcb8d0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 268602969bb8f0144c8a53f58d9e4165
SHA1 ac9edc51332f905d11cd67f9b8f86e1f415c6800
SHA256 e56003623cbe09a3951241c91d00f5b1a78118fbb2b7ff3af29731b0a4b6f53d
SHA512 11a1fb995b45e74382f3bf0d0fc5f40555155682603d78aa2d9e2b72b91216e46554a09a70c7b705d977baad20bfc87a9294f1973dcb628b035c54cabbd089dc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8a84f15db50eacda63a243716c0937bd
SHA1 ae666b0e9ccccda6838f0ba1512a59c605f06e4c
SHA256 a0107629abe8eba43cccbf648dfeab6bd73cf9d90f7e367dd8fec597ca818fe2
SHA512 d417e83d8193677c5169f85e9e36cd92f1db245c4c23c245a4c10c27e16368e4730c82b24f001a9f5cedf82dc2547bbbc4671f5bfe95bf198f91ce8584add797

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2c352d6a7bc8156145eb8324027c9b50
SHA1 62846895a439e7de1dfb2962aaf8fa06327b598d
SHA256 5269997bb8af599a389a8385ebd38fca7d177f1c72bfd6ffdeea0c58f4520892
SHA512 8fc636f61c16853a7060c49d53e315fa367a60f0b14edbddc122681682e9d025556fa0ab8f59ad4e08ab0a086a16489fac6ea4ca026e7c4d1972a316968ef894

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1d1f245887ededdeca0287dacbb3bf8d
SHA1 e7392759f3a7e667fb31461030aebfd42a7582bb
SHA256 1dd1232cfaf9a742db6ef87406b643ce427e04b7ea8a8605c60277fea822fa18
SHA512 25bd9ad79dd2bc1cfab7bde2d5c56416eeaf02f165345032042ddd865784d68556a85f73482039a40e55f0a72fd4ebedd52812369a2e07d29110103d944ad8c8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6b00f78b9330d08f89c6f1162ec73a19
SHA1 69176d71c4efe27751ab2cbaaa961d99086a4510
SHA256 89a882979eff12b71b414925bf765308b91f3965c3af5a15f0b17fa983775be7
SHA512 94a69243f220f25312174833c2b47343bc41083395268c95a206da2ec5ca2b3d94fe40115717b21df2459fd42db6e837f290187bd4122f8fe87f938b8dd89cfc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 673be92f8bf496b6d1caafc5b2e26f7c
SHA1 a9b8ee6bbe44929a85c9d0ad1635e50cda692cd1
SHA256 7718e114a7bba597192eda4d9745b854b624a50478790941c150f149edb1674a
SHA512 74f8e5b39f266a7ad27c3e84818333e51a2e2680b691f04b8cd4772c89659344350b6969b918ddc0cb372b23057254d5b69da7e8c57e33207555a1906454a8f1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2d3ad2b12a34b37023f7f71d03354b4b
SHA1 ed635a987e9eca5324567b7313fdf3e20ce2bd54
SHA256 746d0f72e50f5ffe9506f9c5f184d9b41429424ebf6094225096dc2952779418
SHA512 ad26471216f47b6453957037d314ca3720e6b992e3e23cb3369c3fca3974ace47c9523e6844dbf71219f79880243cddb340800f777ef8a399b87cd624725868d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 956392ba2ffc3fa45693d09112af37cf
SHA1 8004df0355b3464205aa3cf1ff09f60490d14488
SHA256 20b1f9f375558e09db063d3551dc7cc41e5641468b698c3d41f9f1ee0a99195f
SHA512 0d030bbf49a62ee5b20e0457f97d5c0a2766ce6416c7588548c402cabdfda85d55af02fee288e46894e58507b85cafd5640d24c39bf54656e9d7e94950ef7904

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0005c995476a2b6714df5016a2d8fca8
SHA1 c1813926265a1a0572c3700a510ec7059be21dbd
SHA256 4e9c5b4886a800c68c84032e9b58957df2a255d7346136c5e8ca262e4236b79d
SHA512 69e7d3471fb36dac84cddc048fe68384797610155fccd5f0a24d76707bd9a0aeef807cad119d620cdc52512dcfcbf9c2c730b70d9aa2b7eca09bc9e1e6066e9a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 28fe5cd72c48e7a77f1b22814e8f8cb7
SHA1 a9c2cd451589bc563733dd80b43c019034d8e37e
SHA256 4fcd630071b8921885de77bb2c875728a70bbb89b8da97ec420b9c0d2d7e1be4
SHA512 675a7dd93b91bd9014bb716a9eb59cbb06d00d20d3f2a54584edaa0c5fc23b0707979d19f323a910d952e95d9b69340bbd91c122241e3318e488fd8cd5ebd892

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 11:19

Reported

2024-04-26 11:22

Platform

win10v2004-20240226-en

Max time kernel

14s

Max time network

32s

Command Line

winlogon.exe

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart" C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} C:\Windows\SysWOW64\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\microsoft\windows.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\windows.exe C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\SysWOW64\microsoft\ C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3076 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2244 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2468 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5204 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00a65d8c4fdaeb42771fdbc645602f47_JaffaCakes118.exe"

C:\windows\SysWOW64\microsoft\windows.exe

"C:\windows\system32\microsoft\windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/3076-3-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4480-8-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

memory/4480-7-0x0000000000C30000-0x0000000000C31000-memory.dmp

memory/3076-63-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4480-66-0x00000000037E0000-0x00000000037E1000-memory.dmp

memory/4480-67-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4480-68-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 833ef91aefeee2ad25fd6cb51c0e575b
SHA1 2cd0f9da31faee4a5d8b6fb6bc63e3858163ff78
SHA256 b54eb78bb7d3e1d5f99075827fcead7bab762917deed062a55876ee135fd1425
SHA512 216749021865e59e36417e87799ba66c4947df13e2a881972fad6d8140e79239e87c73e6f6670f85ea37f5b9a952629f200ed4275a6ff5cf6eb2357175c2f7fe

\??\c:\windows\SysWOW64\microsoft\windows.exe

MD5 00a65d8c4fdaeb42771fdbc645602f47
SHA1 1948cb1996519118c6a8841ab927cd81548a00b7
SHA256 5beca7229c194cd54b27dba905d1886405bfff9f0dd963ab2a4ad88639b2cf5f
SHA512 f9411fbd792b1c78902979c68462e6190f2c001487e66bb0461559cd7de87f263137cbecc55022af53498df566d5a37581874ba7368bca0a54cdbc0128c6ce56

memory/4652-137-0x00000000240F0000-0x0000000024152000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/4480-493-0x0000000031C30000-0x0000000031C3D000-memory.dmp

memory/4272-501-0x0000000000730000-0x0000000000731000-memory.dmp

memory/4272-503-0x00000000009B0000-0x00000000009B1000-memory.dmp