Malware Analysis Report

2025-01-02 12:44

Sample ID 240703-p8m2cswhlb
Target 22734185ef6b7e63867812097af90491_JaffaCakes118
SHA256 889068df52de03555ce97cf810e7569358551ca89ff92ab6f96f53f7a82b8d47
Tags
upx cybergate sality server backdoor evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

889068df52de03555ce97cf810e7569358551ca89ff92ab6f96f53f7a82b8d47

Threat Level: Known bad

The file 22734185ef6b7e63867812097af90491_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx cybergate sality server backdoor evasion persistence stealer trojan

Windows security bypass

Modifies firewall policy service

UAC bypass

Sality

CyberGate, Rebhip

Adds policy Run key to start application

Loads dropped DLL

Executes dropped EXE

Windows security modification

UPX packed file

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-03 13:00

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 13:00

Reported

2024-07-03 13:02

Platform

win7-20240419-en

Max time kernel

8s

Max time network

140s

Command Line

"taskhost.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\spynet\server.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\spynet\server.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\spynet\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\spynet\server.exe C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\server.exe C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\server.exe C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\ C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2052 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2052 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\spynet\server.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"

C:\Windows\SysWOW64\spynet\server.exe

"C:\Windows\system32\spynet\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maske.no-ip.biz udp

Files

memory/2052-0-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2052-4-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-6-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-8-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-3-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-26-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/2052-28-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/2052-25-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-27-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-24-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-7-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-23-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2052-5-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-20-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2052-19-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/1112-9-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2052-31-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1032-556-0x0000000000130000-0x00000000003B1000-memory.dmp

C:\Windows\SysWOW64\spynet\server.exe

MD5 22734185ef6b7e63867812097af90491
SHA1 0d951fc18d489a15099375e2953c44cd47fd11ba
SHA256 889068df52de03555ce97cf810e7569358551ca89ff92ab6f96f53f7a82b8d47
SHA512 e5bbf1deb040b20ed65cbb9ededaca57d13c355f177289647dfdaff18cf18aeccb002ad5c6ff428fa6644c60be3f0ca685076cc9ab8e084e5e41a7d3477de472

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 e9fbe7ec9d02221731ca2fc99026a0e2
SHA1 33a7a01b17ab72428c7ed4b5930fd313dd257eb6
SHA256 9df31f8949f24692c9226e3dc125897ab6087be7a24b673fee42bfb46281d4ef
SHA512 e0a28f3f0eb35f4fe4df306f5fd2a2318587c028ae3b9f7a48553be181fb888d0abba9d632418adba3714fe070749fa079d86852f6381a909199a18b8abb8397

memory/1816-632-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2052-631-0x00000000044C0000-0x000000000452A000-memory.dmp

memory/2052-939-0x0000000001D90000-0x0000000002E1E000-memory.dmp

memory/2052-935-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/2940-960-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1816-959-0x0000000006AC0000-0x0000000006B2A000-memory.dmp

memory/2940-1002-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 07c3bb63b743819f6d8c42c02ed0f5c5
SHA1 dbd5bb08dfba8c41718ef401f943693a072b90be
SHA256 b4c5fa8f6cd326e30928e27e2a8c274819844930f7bb2f66c2976755c552a18c
SHA512 ec70d169a53db544239dc56de7a88876745e373e6c66423b5e0262db61a0bb9c137953e006b5cb1e8bfbc19076e3d2956c4f54e6811e21f81d401348bff1bcd5

C:\Windows\SYSTEM.INI

MD5 d650d688ee7f166bc2fa5ebddfe04449
SHA1 f9a52bba916f81d4fea356d0d3c6683d595a86d8
SHA256 5db995ef2a7f67fb066c23a88d57655dca86e70f38a332429aef7305bf9f8941
SHA512 c4cedcb3880ab05f072d3930a1e8f94281f61c5a58dcc8e52c1e282e619597870a50f173422363892cd220c2444111f39e5fae1183c22b5249e1e6cbb93189f2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d9d50f8ac5e7e3f4ba70607951a49c42
SHA1 57d3cee4a8a8d0cf8d1ff35246a246d6da920a7d
SHA256 f49b127c2786d37c68d349572ea9e6a00bb41822cc7aa6b71733bb35df8b0912
SHA512 d0e69411fe0780db032a5dd11da3021088c5e81099c104b754202dfc4569f88fd5f6dfe09d7fc9255df3c01d292f1b75b8173cc6f0b143d4f85cbe48a17b1c11

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5e7e97e93d5a2d449623c92d4ef18ec4
SHA1 95d89f6f8896196562c56644ac4c0adfad007a29
SHA256 ee8f2fa91a5522fbb50fa1f36b613939bc3f840644993d72d0f52516b0c8d345
SHA512 8e5075910df01f2e099b9aa4eaeb685d2c15feca9dcb916d0bcb9efb221daddde12efcda96df5bc505ffc921cfdb2ee1c4ed86b27ca7de9c567201fc5e2b3b91

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 821d12b51832acfa3742c09be58889e8
SHA1 f3efafa9b047f814079112d3abc68242e48b98e3
SHA256 fc3f27f7c5e2d38f87c5557969397b8da752fd108856f907e164ede9aa78d31b
SHA512 b1da915d5f59233bbdfff2790e81f1664ee173219ed1dff72828ffc490b29f2cdfbb2ff97cd40c982fa6f59f173d91929536beba1df9855fb0b0be4418cf93ae

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 462b5366ff9f51d5a8f5580199cd4baa
SHA1 9f8d584b38b80d6ccb389557adbda2d00e88ce13
SHA256 6e690e38cc8596ff5713e0a2c62e427ef814973c73d0d32efb5993b421e36298
SHA512 817d9b6d5655ea4ff626f56c6818ce43cd86d8432b6f2cc04ac8f7fdce169d8dd187be54cbeef49c737d23182700e13688fe5af2806f0b288a2f0cce488e4123

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c7815494aca5b6b5d8fc6b9182e52f9e
SHA1 554d74b7de9f637cc065a1728bc27fc28a763301
SHA256 808e6647327820c48cdcb2dda0c4be21011314d62b35616833d391f7b8039f96
SHA512 16712d1009b593d53bcbc3b6ec007a2b753ac509d820f216a4be35270d4826624f365b73d3832f3f768dd0752fbce8ed2ccbe5d2f2072591f3d2a11aa38f1d44

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cf7ab68f1e3e3495b96590dfa33f51ae
SHA1 db0285d2bd254bcc35ccfe0070be29cc8df83a60
SHA256 7aa59dead148a3ad07137afa9d416f0ae232a8bf6f23fda160cc57a312062061
SHA512 9aa236fa2faa09011333e4e9c08c1e958c4c9cbfa4e6467b8e90f926a4b6cceef93d49e46ae024e882eaa7560410d1c5d357e8b7e71e24268b2de29ab1364f4d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f3dab819696b1f1568b76859fb1e74e2
SHA1 01d578a10a9c4df9e87f28a1310b7dd6e1e45a35
SHA256 cc9f8eeeefa4e3ac543cad9393985ec9aed8a1a15f59162f0501123e1a944f45
SHA512 2812a3a1daa8b1ce533f34d6efbe302e674778a8dfc681137f7d4a2355cceed168c56dc8120f8081ffc5fcffc8e27f99f8b8f66c0bbe2a39e9cca759e4c14025

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 41c437053102b7a4a3859113c224e018
SHA1 c0dbb236baeb2278c4e775cd7a9a9a4e9de4395e
SHA256 8cb7407fcb11e42d1ebe64f0cf3213b1652dc5c2ab35d7405c34622c3b559af1
SHA512 8c6f60a5ecbd44491154b4f2ec98aa56569fb78d120bf41ea6627adb86151304007dbe59f68b33d96bb5b6ff80af6493d3f95529c3e7c39a7d1ed3d84922ff75

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 25a039a9812e4d8b627c4f49147d0dbe
SHA1 0d4069fc3c868759a263dd721c97ddfc8a85b4fe
SHA256 97bb3e55626c2ab2ef1db10896e90343fc482a206acf4697c2092e754f7cfa54
SHA512 8cffc67b0c1893dad07d70ed6666efc3125166258829de00f649e17b4f494aafef8aa13ce339913d5ef10f4d1897ad0ddfb17769d89d17de6608035bffb8e7ab

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 27c4391ef62de105c6ae442fd375ed88
SHA1 2f064e9e870ab91603094833586a2a70844e381c
SHA256 1251c0128a5e8212ecad8be8074c8a0e57c7f9aa512fa588cd49af55a9f74a92
SHA512 76e6266178d396e5e55aae7f78103945b2535c0c4a43952dff4186ffc9f41c19aa968983f95463a77c59fc3696cdf0a583d07cc1842a0a167601c0aeb498cb67

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8809db84c4430ab581ad35afcb151607
SHA1 60402156b4fe65a5f4c3be8a92994942aa24b932
SHA256 f1bf1cf506704dcb5890187a937afeaf9292556069e018c7c04d9e0053215157
SHA512 6cdd9561b06c230f4783c628d127c551085f1978afeaadcd58f82934c1847cc3699105327dbcdcaeb4c9cf61ae88f45b9a61aca6c3898a63eeddfbd2572da0ff

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ddc9ddccfd960a7adc56af82e14447c1
SHA1 f7d0c951f9a2807874891bc9f61b058a0175c588
SHA256 ed54e6e1ba246e6e69af8f213b0ecdd37124b7561c60bb99391703b340110e7c
SHA512 9c32e9d59dee5f247e5122f3e8a4c1930fc1f6ed38f5cb7c022525f9a642683431dcdf8c0da1017b069a4208d22ab1db023030a54894b98530362dbb4b54e546

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fff90d773695d7bb78916199786451ef
SHA1 36d33a5d5073289057dbf5af3bb210c7c43f8dde
SHA256 cad8d895bd4be4a3c9285cc0af11fb96e4d0fef3ea5e9a20355f96fa9ec65a7f
SHA512 94f3caefe8e8abe4f88470aba65a2f80d07c0fbe3bb465d89066c30a341d1cfee79a963e20ec9ac6d6e492c7eb7c87ddbb9165ceb27e89c394a495b8f01e5b0f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4106be2a3bcb0625a2738ac34dc5fb6a
SHA1 d14819c2009cc2357a678d5d61289150e21c83c3
SHA256 2d8f1ce7bcea695f8c03e85f1ed52f7d8ecb7ba6ad535314f9129694f15467db
SHA512 f497a77d443d27250ed3387b281334ebb88e534bb035ac67c0fda666dcdee6484948afc59aed61c44dbff9832e84b46f4d22c7cce8e33b3399d141e3be16c77a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d60951f32eb6357bbd29a09c6528c31e
SHA1 d8352d55c74881a1183e73247e37d361fdb73b0c
SHA256 f44bec15a669ba3af5968dfd1b3fb0ba6c7e7c671a2f04d2f30d5a9edd3bb6c0
SHA512 0a6ad4a0416d9b484a0f0085eaef9df66eb9abb350a0ab6e24f6f16c769a3cd6cfce4eed10d3222682b77130272e5854a1c380be997441353bfdeb57d880432c

memory/1816-1786-0x0000000006AC0000-0x0000000006B2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 440279dbb26df16d9b7d6f8888fddbe2
SHA1 ac951d0b36fac90c3573af1c4fcd3a509b3074c8
SHA256 15c4e8696a603fc4fcfbdf7bc1bd7531b1064f706ecd60e666b29c7258267f2a
SHA512 73be8d0543459455107db4ac00c08bfdf1403d265a7233e2d2ed7f56c443ffbb4b4063168985b2c12c5faebf2a5a53d986a34038fb7e94a7e6d87cac8abb1cbb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5316088391d840138fcf999a46e6edc7
SHA1 232a44aea627a39d7e14330e06f41dfc1d5eabdd
SHA256 b5cf13dace21aeafcea97066c91042f75168f5dbb3417694ad550582c3b8d1b7
SHA512 15bdf7cee37ef490f13e3b2a6685d2752f761414cd4bcdb0630a31cad2c826f6f35cf6fde18550e98f751e67bc935bea0f4439f0637a0de48bdbb877abd02592

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 25e9b7b304727efb449be79d706fd48f
SHA1 6371fc1c6c830d3bb5e68fac9b1b312b72a5bf26
SHA256 7b73c000072e4d05e2d74fec94489e155ab21f82443e62dfc44c377ddb9c9810
SHA512 1cfa20ed006c33106321d7beff56e4a4d22bd13336afe4a12f03577876152fe5c7d504c22e2e6869125ae4381b2079041fe886a7b876b6bc77c42bf3a2e87c41

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 409e6010fd596259e1cfb3b463b71dee
SHA1 46d2f4ade24b4b49b4c3505f88d31df26e3a6b32
SHA256 249ad2d1c3ba4ec0350dd2539a227192dcf19f6b1f9dfc397e1c4acfb71adac8
SHA512 2f4945691e4660912f4dc74464a519b25e73960e4ad61e69d250b01015803992f6d514931b051cb8adce6f9203c0d6093a54bf6a154ad70fbdbaf76174b41a2e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 97a1e6c2ad77afa7b1490ea26236c265
SHA1 3ed075c9908215802572728584ea739252772763
SHA256 bebeda0ca2f8b1e7cdc96274b7d361ceb02eec2b6ae2fb648efc7db4f243f31f
SHA512 cae609a616c2f5f363a74fae9594dafdee91fa778e54b85a663e2a5d8cdb2db3da8364a2873fe3376e9490ea6a3d31f4fc6c2951027b7c8f5bcc8d5e272baf06

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a68e514b12a4e998692e3a0bf9bcd192
SHA1 5c0f8e3f152881f799f9af9856c7486747e3ec25
SHA256 4d97f0af946db8230493cc2f57e971c6e7b430815feeb729bd021be117afceb4
SHA512 47924d6e13b6ca9891bcf10f3d6790c3012ad83c8615e9996283b9cf3e6f8b0109a28ef77f514d797a8034878b09441f525a59d0264b7f67b69ec8e57d03a93a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 787336ebee22abe42cd0de0a54e779cf
SHA1 b993694bc3c774f44fe1320e9bb7390521515700
SHA256 6baae3db93a0e8b6baf16c1fa8d923422082c1ad712fbabe62de401a31a99968
SHA512 a6c061870dfcc9335d13cb37b98038fbfbed3278d207857aad1daf35e2342e14084d0634b25dcfac802b61f3e2f6fe19fee5a9fd802093eb195a4784fa4f0a87

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 02d4c2fdd441651f5aa4eaea31be2792
SHA1 b463a31b0e2597172a8655d73587c91b7fad6a24
SHA256 0de6bc2ebd4dbdfde16f93b08fd4517fcfa8122e941ce107cd62df241557ac77
SHA512 323d5d632eee3022c78792e3631e5bc901f6ab52a20d7b4ae246d5ae3df495853fc0624559103dcfb8826eb94eb2364425b5bbcc499001617a2a1db75282c3b8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0d9cd10aa730e159cb6df2c4f89064f2
SHA1 5bf084f2078a59c041260d6da0989308ac2e6c47
SHA256 d37ee5d85a17fd1b72dae8187f29c199adfd6f47b456eed56b2d1638d7ac48aa
SHA512 58514a7904af015ab2442f7c8fc2d13895908264525548af9f40261e18e5808cca803f8ed2c68f9fa6c1c9c8841d91831e614e7edf2f419342585e347e68b437

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b7475673bf7121279a1ec6d5fd077bce
SHA1 3392aa5aa5fc372716e5e1614b2ad1216a54126a
SHA256 989153dfdafa82bfae565f83b35a321fdc7cefa5d521cee5dd32b28abec7290f
SHA512 f040331cd72126ac91814c227d5b485f5de93e84cc6259e3937942d79f8aebf1556c00806875b2713808473a8cf6500ee2e5cbb15255c9ba8747ce1b49fa0a01

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 669e29c60dd5da3570ec5eb53660b143
SHA1 54a64604dbe8b218d60a70a8cacdd8530084317f
SHA256 65a8f11f1dfdaaf1889572991060eb897b754b9e6bfcd9863fbe8a45326a9dbe
SHA512 d9ec0bff267e3445435fd9bb8a2b91c2ba77b34e4e428e7b2fbb118105e0ae09fa9b0284cf125c16c31ef9fb13cc67a3da490c475040e06ed2a3791dd9dd8c7e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b3448010e591aaef2279f5ce3edbeeaf
SHA1 b762fd4688b3e8f0fac9a54bd4c6d53d7efa2cf7
SHA256 780e6d4c0374ae7b33d75455393ed668ffbede08e08b53d30047e7fdf905a64e
SHA512 985a1a586c77f9191c6c41e7907f0ac3ae807bcb5edc757e53dc397a33aee330e591da8008576b10c8ad6b374b9fa0e6ae8e58585b1af04bfb4b5ac0d741b4fb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f36b30cc958e10708300c1589cb96af7
SHA1 d13177a0d93ee182d5196af8d9bd72cff1fb4300
SHA256 8def2b2b5abda38bcf8987571a9e6ea60be765f77af821c5873f808d4032f33c
SHA512 a2140c9ffead4d56c37c161caa21d680b2ad4e1e3720666c8d28e8b005b3b1e13e2d33a031b8bd0e67fde6830da8b87b3376cee2e847620611cd1f10b4634ad1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d8dcb42f104ff4c541f300d1d9953a24
SHA1 c2a3df22765ccb6a04d3d2b108088ef4722eb5bd
SHA256 647ef443457893aaef94487215e3eb7c94969e4d0e8f93600e038cbb0513bbae
SHA512 7368729db0ae9bac8f61b1dd8892408d3cb0d059192800a5f60ebdfc9c8f17b0f531014ffce5c99ccc87993381fcf1135211ec7b40adaf3b946577f20f00df0e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dbe1f98468fb89f0f6e18a6a40f60e9b
SHA1 a40d7c6578fdd150e16aada79b2c5be320a205b2
SHA256 ae96a66463e0cae070f840e5c9fdeadf29c423ca47095741335306fd40061c4d
SHA512 a950ad414e40642f9ac7a8b212eec0f85aabbdfb7df242f73e82eb35e518c4bd6e1bfa1970b182322af81f04f21d8781b395b202cb85a782ea628534269fc1b9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 96cbc12aa8c2f18387b5d473b1532626
SHA1 3507ffe9cb234d3d0972871a1e9a1043776b72e1
SHA256 ae2f9a8de5253760b4bf0c18c149248c289fe160b357c09dc0f017436286a8fa
SHA512 1adb12a3b5db65f3b2fabf629b417ad203fe0c68e02618f904d7f9f5b8d18b4cd6a7a19d981605c64d17b70fb4e8aa6f8540104b6db72fbd0a55e5a2b698a9cb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1d06469fd13dcad64f3a907603d5cce9
SHA1 b6031a0ca8b19e91848ee8769fefe7964261cc41
SHA256 11a50beb5b3e11042aecae944c4f944f4c70c9aec25137d01f9aa0248ad3776f
SHA512 0fcfb3a45d9d17271f48c6ee1dec36f5d9b511ee6115c9ed4baf2d3eb2d00e9d66739b12124e081a8ccaefad0727eed3053f33f7b39894caab12da96e4c48da3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6bd490ba4a98397690bcf43e59f8d943
SHA1 657baaaa676867ca5675032a7acc56816ba21c49
SHA256 827693d65da87f04f39128eddd398c24b92ae969aaefb8df4b1ab56a7a656cf1
SHA512 937f22ba20464b9dc38904436331d2c4116be3140fb55ef2afb89bcc7133ad94f6a2cb33f449fb9d38c8b14d754489606bbc553de2039d536580f56cf900510e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 022c0faca3bd1daafc8d63d822a1356f
SHA1 1cf079ea8cc8d524ed962e51cec56ee8fec383be
SHA256 636bcfea421ac834ee06be51ef91cd18dc394143763130e72b4c42af2e39071f
SHA512 754bceda2d82da8fbb24f703d260a0db3bddc81800fa9ca62a07b72fbc2d2ee4eade67559ef16aa9307153d78a8e59e4a9e0f84bb24bdda97638f659270d378e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1c92a0cbef59bebddaa7127e9c7e486d
SHA1 89bb55b7ffd0880706d63153f0b6ea13202764e1
SHA256 22c8d1436141bafb794e712de9c6948983d5a0878a6d81b6dc37dfd1209aba92
SHA512 7750db0c5ce0368ba4b60911f2036977a4a28f17f8199c84f52fd8ac6f23a1d606e5207bfc8ad5ffac1398dd71edd0a255c6d6661569831969f25ba913f116ae

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 13:00

Reported

2024-07-03 13:02

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

148s

Command Line

"fontdrvhost.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\spynet\server.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\SysWOW64\spynet\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\spynet\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\spynet\server.exe C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\server.exe C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\server.exe C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\spynet\ C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2044 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2044 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 2044 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 2044 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2044 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2044 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2044 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2044 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2044 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2044 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2044 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2044 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2044 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2044 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2044 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2044 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2044 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2044 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2044 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\spynet\server.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffcb30dceb8,0x7ffcb30dcec4,0x7ffcb30dced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2464,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"

C:\Windows\SysWOW64\spynet\server.exe

"C:\Windows\system32\spynet\server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3972,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp
US 8.8.8.8:53 maske.no-ip.biz udp

Files

memory/2044-0-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2044-1-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/2044-7-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/2044-4-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/2044-5-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/2044-9-0x0000000003D00000-0x0000000003D01000-memory.dmp

memory/2044-8-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/2044-12-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/2044-11-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/2044-10-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/2044-6-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/2044-16-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4552-24-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/2044-20-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/2044-21-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/2044-19-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/4552-23-0x0000000000790000-0x0000000000791000-memory.dmp

memory/2044-22-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2044-40-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4552-87-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/2044-86-0x00000000006C0000-0x00000000006C2000-memory.dmp

memory/2044-52-0x0000000002270000-0x00000000032FE000-memory.dmp

C:\Windows\SysWOW64\spynet\server.exe

MD5 22734185ef6b7e63867812097af90491
SHA1 0d951fc18d489a15099375e2953c44cd47fd11ba
SHA256 889068df52de03555ce97cf810e7569358551ca89ff92ab6f96f53f7a82b8d47
SHA512 e5bbf1deb040b20ed65cbb9ededaca57d13c355f177289647dfdaff18cf18aeccb002ad5c6ff428fa6644c60be3f0ca685076cc9ab8e084e5e41a7d3477de472

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 e9fbe7ec9d02221731ca2fc99026a0e2
SHA1 33a7a01b17ab72428c7ed4b5930fd313dd257eb6
SHA256 9df31f8949f24692c9226e3dc125897ab6087be7a24b673fee42bfb46281d4ef
SHA512 e0a28f3f0eb35f4fe4df306f5fd2a2318587c028ae3b9f7a48553be181fb888d0abba9d632418adba3714fe070749fa079d86852f6381a909199a18b8abb8397

memory/1868-100-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2044-174-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2044-177-0x0000000002270000-0x00000000032FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

C:\Windows\SYSTEM.INI

MD5 39e0ea3055f1e374f5411e15347e445c
SHA1 6952786008f316dcfcbe88a1905ae19782b5e13c
SHA256 dd958f5e59831a412f9a18ce56a09bb015be380e837f2873a6cc6069080b63ec
SHA512 ff37f87cc0c88aca4966e2bdd8aafa346d4322aa1260b51d3cf45bcebe794a6a31249e01690d27ea0c35fcdcdf65d10b26b7dbc8e2c46dcad21e984017429acc

memory/5048-202-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

MD5 097809a349034f052a6fa736e46132e0
SHA1 50de73d58af3be03df274a7cb8b2e1527d6b8ba2
SHA256 7bdded844869908f1e30df68bf0ae702d77d1fce8da47777f1b0ee0021362889
SHA512 306046446ec2f3548a825150279418e39feb3ba1413d892bc9bf7b28010a237a440b7325251648ef3d75bc2b3e9165f4dd6d5ea15bf5b2ca3b185173819c820b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 462b5366ff9f51d5a8f5580199cd4baa
SHA1 9f8d584b38b80d6ccb389557adbda2d00e88ce13
SHA256 6e690e38cc8596ff5713e0a2c62e427ef814973c73d0d32efb5993b421e36298
SHA512 817d9b6d5655ea4ff626f56c6818ce43cd86d8432b6f2cc04ac8f7fdce169d8dd187be54cbeef49c737d23182700e13688fe5af2806f0b288a2f0cce488e4123

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c7815494aca5b6b5d8fc6b9182e52f9e
SHA1 554d74b7de9f637cc065a1728bc27fc28a763301
SHA256 808e6647327820c48cdcb2dda0c4be21011314d62b35616833d391f7b8039f96
SHA512 16712d1009b593d53bcbc3b6ec007a2b753ac509d820f216a4be35270d4826624f365b73d3832f3f768dd0752fbce8ed2ccbe5d2f2072591f3d2a11aa38f1d44

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 cf7ab68f1e3e3495b96590dfa33f51ae
SHA1 db0285d2bd254bcc35ccfe0070be29cc8df83a60
SHA256 7aa59dead148a3ad07137afa9d416f0ae232a8bf6f23fda160cc57a312062061
SHA512 9aa236fa2faa09011333e4e9c08c1e958c4c9cbfa4e6467b8e90f926a4b6cceef93d49e46ae024e882eaa7560410d1c5d357e8b7e71e24268b2de29ab1364f4d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f3dab819696b1f1568b76859fb1e74e2
SHA1 01d578a10a9c4df9e87f28a1310b7dd6e1e45a35
SHA256 cc9f8eeeefa4e3ac543cad9393985ec9aed8a1a15f59162f0501123e1a944f45
SHA512 2812a3a1daa8b1ce533f34d6efbe302e674778a8dfc681137f7d4a2355cceed168c56dc8120f8081ffc5fcffc8e27f99f8b8f66c0bbe2a39e9cca759e4c14025

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 41c437053102b7a4a3859113c224e018
SHA1 c0dbb236baeb2278c4e775cd7a9a9a4e9de4395e
SHA256 8cb7407fcb11e42d1ebe64f0cf3213b1652dc5c2ab35d7405c34622c3b559af1
SHA512 8c6f60a5ecbd44491154b4f2ec98aa56569fb78d120bf41ea6627adb86151304007dbe59f68b33d96bb5b6ff80af6493d3f95529c3e7c39a7d1ed3d84922ff75

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 25a039a9812e4d8b627c4f49147d0dbe
SHA1 0d4069fc3c868759a263dd721c97ddfc8a85b4fe
SHA256 97bb3e55626c2ab2ef1db10896e90343fc482a206acf4697c2092e754f7cfa54
SHA512 8cffc67b0c1893dad07d70ed6666efc3125166258829de00f649e17b4f494aafef8aa13ce339913d5ef10f4d1897ad0ddfb17769d89d17de6608035bffb8e7ab

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 27c4391ef62de105c6ae442fd375ed88
SHA1 2f064e9e870ab91603094833586a2a70844e381c
SHA256 1251c0128a5e8212ecad8be8074c8a0e57c7f9aa512fa588cd49af55a9f74a92
SHA512 76e6266178d396e5e55aae7f78103945b2535c0c4a43952dff4186ffc9f41c19aa968983f95463a77c59fc3696cdf0a583d07cc1842a0a167601c0aeb498cb67

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8809db84c4430ab581ad35afcb151607
SHA1 60402156b4fe65a5f4c3be8a92994942aa24b932
SHA256 f1bf1cf506704dcb5890187a937afeaf9292556069e018c7c04d9e0053215157
SHA512 6cdd9561b06c230f4783c628d127c551085f1978afeaadcd58f82934c1847cc3699105327dbcdcaeb4c9cf61ae88f45b9a61aca6c3898a63eeddfbd2572da0ff

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ddc9ddccfd960a7adc56af82e14447c1
SHA1 f7d0c951f9a2807874891bc9f61b058a0175c588
SHA256 ed54e6e1ba246e6e69af8f213b0ecdd37124b7561c60bb99391703b340110e7c
SHA512 9c32e9d59dee5f247e5122f3e8a4c1930fc1f6ed38f5cb7c022525f9a642683431dcdf8c0da1017b069a4208d22ab1db023030a54894b98530362dbb4b54e546

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fff90d773695d7bb78916199786451ef
SHA1 36d33a5d5073289057dbf5af3bb210c7c43f8dde
SHA256 cad8d895bd4be4a3c9285cc0af11fb96e4d0fef3ea5e9a20355f96fa9ec65a7f
SHA512 94f3caefe8e8abe4f88470aba65a2f80d07c0fbe3bb465d89066c30a341d1cfee79a963e20ec9ac6d6e492c7eb7c87ddbb9165ceb27e89c394a495b8f01e5b0f

memory/4552-1086-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4106be2a3bcb0625a2738ac34dc5fb6a
SHA1 d14819c2009cc2357a678d5d61289150e21c83c3
SHA256 2d8f1ce7bcea695f8c03e85f1ed52f7d8ecb7ba6ad535314f9129694f15467db
SHA512 f497a77d443d27250ed3387b281334ebb88e534bb035ac67c0fda666dcdee6484948afc59aed61c44dbff9832e84b46f4d22c7cce8e33b3399d141e3be16c77a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d60951f32eb6357bbd29a09c6528c31e
SHA1 d8352d55c74881a1183e73247e37d361fdb73b0c
SHA256 f44bec15a669ba3af5968dfd1b3fb0ba6c7e7c671a2f04d2f30d5a9edd3bb6c0
SHA512 0a6ad4a0416d9b484a0f0085eaef9df66eb9abb350a0ab6e24f6f16c769a3cd6cfce4eed10d3222682b77130272e5854a1c380be997441353bfdeb57d880432c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 440279dbb26df16d9b7d6f8888fddbe2
SHA1 ac951d0b36fac90c3573af1c4fcd3a509b3074c8
SHA256 15c4e8696a603fc4fcfbdf7bc1bd7531b1064f706ecd60e666b29c7258267f2a
SHA512 73be8d0543459455107db4ac00c08bfdf1403d265a7233e2d2ed7f56c443ffbb4b4063168985b2c12c5faebf2a5a53d986a34038fb7e94a7e6d87cac8abb1cbb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5316088391d840138fcf999a46e6edc7
SHA1 232a44aea627a39d7e14330e06f41dfc1d5eabdd
SHA256 b5cf13dace21aeafcea97066c91042f75168f5dbb3417694ad550582c3b8d1b7
SHA512 15bdf7cee37ef490f13e3b2a6685d2752f761414cd4bcdb0630a31cad2c826f6f35cf6fde18550e98f751e67bc935bea0f4439f0637a0de48bdbb877abd02592

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 25e9b7b304727efb449be79d706fd48f
SHA1 6371fc1c6c830d3bb5e68fac9b1b312b72a5bf26
SHA256 7b73c000072e4d05e2d74fec94489e155ab21f82443e62dfc44c377ddb9c9810
SHA512 1cfa20ed006c33106321d7beff56e4a4d22bd13336afe4a12f03577876152fe5c7d504c22e2e6869125ae4381b2079041fe886a7b876b6bc77c42bf3a2e87c41

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 409e6010fd596259e1cfb3b463b71dee
SHA1 46d2f4ade24b4b49b4c3505f88d31df26e3a6b32
SHA256 249ad2d1c3ba4ec0350dd2539a227192dcf19f6b1f9dfc397e1c4acfb71adac8
SHA512 2f4945691e4660912f4dc74464a519b25e73960e4ad61e69d250b01015803992f6d514931b051cb8adce6f9203c0d6093a54bf6a154ad70fbdbaf76174b41a2e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 97a1e6c2ad77afa7b1490ea26236c265
SHA1 3ed075c9908215802572728584ea739252772763
SHA256 bebeda0ca2f8b1e7cdc96274b7d361ceb02eec2b6ae2fb648efc7db4f243f31f
SHA512 cae609a616c2f5f363a74fae9594dafdee91fa778e54b85a663e2a5d8cdb2db3da8364a2873fe3376e9490ea6a3d31f4fc6c2951027b7c8f5bcc8d5e272baf06

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a68e514b12a4e998692e3a0bf9bcd192
SHA1 5c0f8e3f152881f799f9af9856c7486747e3ec25
SHA256 4d97f0af946db8230493cc2f57e971c6e7b430815feeb729bd021be117afceb4
SHA512 47924d6e13b6ca9891bcf10f3d6790c3012ad83c8615e9996283b9cf3e6f8b0109a28ef77f514d797a8034878b09441f525a59d0264b7f67b69ec8e57d03a93a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 787336ebee22abe42cd0de0a54e779cf
SHA1 b993694bc3c774f44fe1320e9bb7390521515700
SHA256 6baae3db93a0e8b6baf16c1fa8d923422082c1ad712fbabe62de401a31a99968
SHA512 a6c061870dfcc9335d13cb37b98038fbfbed3278d207857aad1daf35e2342e14084d0634b25dcfac802b61f3e2f6fe19fee5a9fd802093eb195a4784fa4f0a87

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 02d4c2fdd441651f5aa4eaea31be2792
SHA1 b463a31b0e2597172a8655d73587c91b7fad6a24
SHA256 0de6bc2ebd4dbdfde16f93b08fd4517fcfa8122e941ce107cd62df241557ac77
SHA512 323d5d632eee3022c78792e3631e5bc901f6ab52a20d7b4ae246d5ae3df495853fc0624559103dcfb8826eb94eb2364425b5bbcc499001617a2a1db75282c3b8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0d9cd10aa730e159cb6df2c4f89064f2
SHA1 5bf084f2078a59c041260d6da0989308ac2e6c47
SHA256 d37ee5d85a17fd1b72dae8187f29c199adfd6f47b456eed56b2d1638d7ac48aa
SHA512 58514a7904af015ab2442f7c8fc2d13895908264525548af9f40261e18e5808cca803f8ed2c68f9fa6c1c9c8841d91831e614e7edf2f419342585e347e68b437

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b7475673bf7121279a1ec6d5fd077bce
SHA1 3392aa5aa5fc372716e5e1614b2ad1216a54126a
SHA256 989153dfdafa82bfae565f83b35a321fdc7cefa5d521cee5dd32b28abec7290f
SHA512 f040331cd72126ac91814c227d5b485f5de93e84cc6259e3937942d79f8aebf1556c00806875b2713808473a8cf6500ee2e5cbb15255c9ba8747ce1b49fa0a01

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 669e29c60dd5da3570ec5eb53660b143
SHA1 54a64604dbe8b218d60a70a8cacdd8530084317f
SHA256 65a8f11f1dfdaaf1889572991060eb897b754b9e6bfcd9863fbe8a45326a9dbe
SHA512 d9ec0bff267e3445435fd9bb8a2b91c2ba77b34e4e428e7b2fbb118105e0ae09fa9b0284cf125c16c31ef9fb13cc67a3da490c475040e06ed2a3791dd9dd8c7e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b3448010e591aaef2279f5ce3edbeeaf
SHA1 b762fd4688b3e8f0fac9a54bd4c6d53d7efa2cf7
SHA256 780e6d4c0374ae7b33d75455393ed668ffbede08e08b53d30047e7fdf905a64e
SHA512 985a1a586c77f9191c6c41e7907f0ac3ae807bcb5edc757e53dc397a33aee330e591da8008576b10c8ad6b374b9fa0e6ae8e58585b1af04bfb4b5ac0d741b4fb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f36b30cc958e10708300c1589cb96af7
SHA1 d13177a0d93ee182d5196af8d9bd72cff1fb4300
SHA256 8def2b2b5abda38bcf8987571a9e6ea60be765f77af821c5873f808d4032f33c
SHA512 a2140c9ffead4d56c37c161caa21d680b2ad4e1e3720666c8d28e8b005b3b1e13e2d33a031b8bd0e67fde6830da8b87b3376cee2e847620611cd1f10b4634ad1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d8dcb42f104ff4c541f300d1d9953a24
SHA1 c2a3df22765ccb6a04d3d2b108088ef4722eb5bd
SHA256 647ef443457893aaef94487215e3eb7c94969e4d0e8f93600e038cbb0513bbae
SHA512 7368729db0ae9bac8f61b1dd8892408d3cb0d059192800a5f60ebdfc9c8f17b0f531014ffce5c99ccc87993381fcf1135211ec7b40adaf3b946577f20f00df0e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dbe1f98468fb89f0f6e18a6a40f60e9b
SHA1 a40d7c6578fdd150e16aada79b2c5be320a205b2
SHA256 ae96a66463e0cae070f840e5c9fdeadf29c423ca47095741335306fd40061c4d
SHA512 a950ad414e40642f9ac7a8b212eec0f85aabbdfb7df242f73e82eb35e518c4bd6e1bfa1970b182322af81f04f21d8781b395b202cb85a782ea628534269fc1b9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 96cbc12aa8c2f18387b5d473b1532626
SHA1 3507ffe9cb234d3d0972871a1e9a1043776b72e1
SHA256 ae2f9a8de5253760b4bf0c18c149248c289fe160b357c09dc0f017436286a8fa
SHA512 1adb12a3b5db65f3b2fabf629b417ad203fe0c68e02618f904d7f9f5b8d18b4cd6a7a19d981605c64d17b70fb4e8aa6f8540104b6db72fbd0a55e5a2b698a9cb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1d06469fd13dcad64f3a907603d5cce9
SHA1 b6031a0ca8b19e91848ee8769fefe7964261cc41
SHA256 11a50beb5b3e11042aecae944c4f944f4c70c9aec25137d01f9aa0248ad3776f
SHA512 0fcfb3a45d9d17271f48c6ee1dec36f5d9b511ee6115c9ed4baf2d3eb2d00e9d66739b12124e081a8ccaefad0727eed3053f33f7b39894caab12da96e4c48da3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6bd490ba4a98397690bcf43e59f8d943
SHA1 657baaaa676867ca5675032a7acc56816ba21c49
SHA256 827693d65da87f04f39128eddd398c24b92ae969aaefb8df4b1ab56a7a656cf1
SHA512 937f22ba20464b9dc38904436331d2c4116be3140fb55ef2afb89bcc7133ad94f6a2cb33f449fb9d38c8b14d754489606bbc553de2039d536580f56cf900510e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 022c0faca3bd1daafc8d63d822a1356f
SHA1 1cf079ea8cc8d524ed962e51cec56ee8fec383be
SHA256 636bcfea421ac834ee06be51ef91cd18dc394143763130e72b4c42af2e39071f
SHA512 754bceda2d82da8fbb24f703d260a0db3bddc81800fa9ca62a07b72fbc2d2ee4eade67559ef16aa9307153d78a8e59e4a9e0f84bb24bdda97638f659270d378e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1c92a0cbef59bebddaa7127e9c7e486d
SHA1 89bb55b7ffd0880706d63153f0b6ea13202764e1
SHA256 22c8d1436141bafb794e712de9c6948983d5a0878a6d81b6dc37dfd1209aba92
SHA512 7750db0c5ce0368ba4b60911f2036977a4a28f17f8199c84f52fd8ac6f23a1d606e5207bfc8ad5ffac1398dd71edd0a255c6d6661569831969f25ba913f116ae

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e12449189cfa4dc9fad2bb8f6b42c2c0
SHA1 505651d90038480afcae744c418407d801b238a0
SHA256 ca6a30755030feae5f9acaa7358bd7bc450fdea41cc8c29c4f728a257b06d429
SHA512 31705e509d0f83d9239c50d44fe507ef7da274dfeb8f58a79682fbfdecd023b2d095b8e42ec5b39964edb0edc7d9a11ddbfb4289573e4c242e72e2af330efd0a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fca7bee6c438fa8ec70cf273f831d2d1
SHA1 7337d584f3111e94ad4b4b3f022bc15d70b17877
SHA256 48c2b8fe490426650564f4530a8d9f02582f683430168891f8f484e6da6752b2
SHA512 aa58befe213a3d7ded8f1513b13d9fc34bd5fd47d245275c7b9087e565784068f5414c3d0e69a312f1f9e15d10bff1fbb5bd7f20c77942dbb4e80bb1db54f8e7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6716d5297b0d3e1752b065431c3eb5e4
SHA1 1dc045b1daa5f8c89e09f3ffa529958a59484f2a
SHA256 ce62de9a31ef444ff3d8e7e4a4c44a3d87de14fbbb88985f4eef62779dfbc2fd
SHA512 ef1e94b2f3556a09449c085f58743e7a8e5d16a7c1b9ac5acef0601db2cab3894fafec9d7509b322d191f3aa9bc12db6ec8aa5519350cc250deb43b9f19a01b7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 74a470e2252a228547ca68c55a74df1f
SHA1 181a1dc34192bdde65e57e0ea75aa34fd8c60928
SHA256 33cb47aee2a0fc2f982c218096c7079af3b7eda390f642c49f90f0b3b30bafe7
SHA512 cc917a93a33089b4c744a23dcee7abcb829e3460794e3f4d90046e683157e5c27a6436edb4932345b52f124abf86926d548afce9ee9a76796cc0621f2f788f96

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 64ed22f0b7f68ce2fe78cc0a4ab2bef4
SHA1 8f3b0c0523eaead397c2c99ec0629d3283ba82b0
SHA256 4d173b42d52b415f864b070b4770c3cf67a9cb7239513784670a8da7bf0d244e
SHA512 fdb4e4e1dadcce1ed1288494715f1ad72e88058fe3626c95fea4db7301082debeb5b3785c4d5c93c89c14c24f0b1ec3454eba0353e90e52f2d1e9e38efa4a1ef

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 750df4366d9267c86989abd3e94ab853
SHA1 214b9d63ec1d4782215efb027d5087d5778162bc
SHA256 5fa0bb4fcae0f785c90883db91afb75d0ef4391f56fbffd2da8125070522aa16
SHA512 41a86511cb2987da01ded56f33f649e51da2a88919136149814cd16da44753535b4d81f821d0091819dbed09a47d78fc3502e77013a1e34d2a30912c8ed4a6e7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e9fa5d56b6847d3080bc5df8dce62369
SHA1 f5ce169e6e0e5e9226ba2a62de9c15dad0aa1d17
SHA256 8217802dc0db3217b4eabd6f7a687896ccc3c6b1d02ba54b62d639093c764226
SHA512 9cc316bf73b6a14b4e848c2a69cc60a49cc7d779959c7782ad1687b9dbdfbe369950776b862b18f87fb67a7f7a51ddba1dcd1e08b95d7cc828618d5f02998015

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ea1d6b4b0b8cf3090b62fa1830dbc7f2
SHA1 e850f122994bdb32333de1eefa89fcf755a011fa
SHA256 62c5158f24df1e1495ae0cc5fa7b06242aa7a8b4462df1a8f175d61e012c4bbc
SHA512 99438447cd4dcbd53e76bc0dbac1fe5b72c860e49ed24e838a06fe49d0231e61da5ce5e9ec1f579ac24232fa25cc70fde270690e5ed54974594971b438a9f7d1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 859b93ef3935d0f35538b7db43eea1cf
SHA1 dc986dacc2c393690c052baaa5c86cfb526abc55
SHA256 25b6b5114483b6dcfded834e4018cab0c0f4eb869b33a638ac523f9fc357fe07
SHA512 6db726fb8c841d33e75903918490361245f91e8e41c388a5e3cd11c54718fb4e44bf0a835d6ff33a688c11cef2cc6b43a009d91b88665b681c90803c6cff7c11

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 91dcf6b071a8a999ee7be2fce816a0c9
SHA1 e315df66c73e9a0b2e4f577fe13fbbd817550921
SHA256 191a09de541b9602b083d06ee443230a02519a183e5711ed1d6af20e638b896d
SHA512 88deb2ed8df3a3083d98239ba609c3acf7efcc6f61e5355030bf4312829fb78dea1ba069cf6b05d22dedc6357eb0d654a8eb280c1f72d268331f783944f33c2a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1740de2d76fca18a12281aa584da5cce
SHA1 151c2e6331a0a44b7639804687419881ece09ee6
SHA256 46f25852ed27735230ceac9b388bb730ca3555ebb19bdd0cda2261a0f2824af5
SHA512 8b6eaf246a709e3ce926fe1b4165b5257e12b49c02e12cc7fcc20f46db07e33ecd3349051f970bd9880bfc62bc520e1250c9439d929f6b0af807e668551bbdb6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 077d9483b63f8e296be3d460794c8e80
SHA1 c3facfe93ffe9a3d072a1afc7c7a53828532c683
SHA256 d64a0c549b4d8c5440a4c59c3ddaa18a4ce05fbd3bef7d73c4e6ec0e061341c2
SHA512 4f2015517f93e3d8419d204a6b0a59b616127de6781085aede909214e3b6c61a592011d636d2429dd491ba90ef803df02fb755b3b6b2835183dc7b0d1fdfd2a7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 61e529b8d7f0abdb4a2f8d0830453969
SHA1 86b71a2c15de8d0002031331f560df33c8c2d353
SHA256 544b62ba0ce3e865305b11774a98451025b7d824250db7a0ebd765d3b6a129ff
SHA512 8884ae69e9c2f73a2f1480c6c5961aaed7c2c226008607f6dd4d88543f38570cfb182f4b120037719fccd45f935177de92f547628b0a542dea438f1d49c9be64

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a41f50714d1f1a80caa102b2ef9414c7
SHA1 0a83dff19bbeab1f8e9e54a051208eeb2c4c2136
SHA256 dff1bc246a8dda3de2cb6dcf953a25371a2a8cbc32282200f0a57ac52d800b67
SHA512 8f4225ccabc34b140b05fb2188208de11daffe574a75812ef9d5217580235cf9c5a1798b537df235553e1f296802bc742b6f22212b653f1188cae5b7c245bec4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ba9d307ba7a33d1914945a14f55a39af
SHA1 3830fb7f2b920139584438a6a1f531edfa514549
SHA256 d139edcdf91fda5a7af39eec9cffd175cdc93b2b1c9932526f4315ba3fcb3e6b
SHA512 94886ffd84cc2efec0cda90babd560acb79ac180bade8f4d2ae39d380f98f5432726bd21ec58d187c72ed181888b927b4ce374161270a2f4753cf2a0c6c8cba1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3bec48eb2e56c1b66c1d7f8996578022
SHA1 4534d8e5246308e270906ce0b71aa56fc37fbe98
SHA256 b2874cb5b0ad16e8e51f05a119de76278f16697b2b900f8686f07d4d2a9239b4
SHA512 c809f6d6cdeb83fd08737cfafab7a95b0301cc3ce9c08e554b5732cbe2ab8c3d88e47e9474efef93e9077a35268caddadd8ed85bcf42b571c3699ae81516b2d6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 442b75228d2fe63e4c61966acb0b590f
SHA1 c30242e78b557cdc4e9979248fab931a13b8b374
SHA256 e6267e7b718d404574ee57706a7f237ab59c3c1caeca06f42c5730aa7d2dbcce
SHA512 33f76acd8021be436d20f9e7265c28dc26678fe7ba6a935a2da8b20c161f30faf7b0b35da1025966db508abeaa36e09831fe292bd17ac0e954b24f14acd5fb47

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 55a058815d2ccfdb07b92029205bc039
SHA1 5b2224e23edefd2b07afdd847693938953fa7b9b
SHA256 3b628c62b09071a64fe93af5d7ab3aacc5e7bcfe5ada1d5a071cf4173b97c8bf
SHA512 5c45f1d67c137619b06b7390de2e558a0e7879ed95b91cba392d3b93e3b58f014e187fe09f2ca529526017bb91a3f67cc4108fbcec6c533b45e67be49552c236

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0faad6af395afd232fe1d6324270273f
SHA1 ad00679b44cd6d444f9370daf2b3b5556bd591af
SHA256 1693d6ab6eee67736db573477ce3d03468c1ae32efc3bccc04459975d90ba022
SHA512 8c9a74e7eae5534fcd9bfcad7e08ebd06c84457311bb308d57e08c35e7bec84a79d50623350e13bf29b1960c27d53e53b97228ef7db585a55a250de116ca77c7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 32f331a7f1fcebe09d3b073ff7b5919e
SHA1 5d4a21d88a0f966b12a4d53da69ca05a1fb8aa81
SHA256 7209d07932e247e7092182a0dba665fd662d27a08ef69a8c5b411c0730597a1a
SHA512 69f5594050e152fceb930659c94990ed8d13afd3807e0fc0d2b7cd88d7183884d1608c9f4bcb096c77bc2d82fe15c9b5415b1eaeed98ea161f5134965e0a3837

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d4aaf7930bccd98c990fd1d94c9e958e
SHA1 3235bfd71b502053d6f7081dfcd2132cd00a78d8
SHA256 d565f8c3c8a665e01ba9a0c29b3512d79b893e6abd29b1605251381a99036a85
SHA512 224f311b2b01459dd0d021263282805789e99dc5a56447d22b0a5cf88dc776f6b9dab9f061430cbbd24871fcbcb67c8abc297b78bf41c6ca9ead6e311a6e9b94

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7b7c8af17afc505d1f591d1dcfa8e613
SHA1 fe7a174adf812e18cf4737fddc450faa3a4a82e7
SHA256 aa3188d258574ff3cd8958d34bb7bfa2f2dfdb75724d5405ef6c674e1a6abc48
SHA512 b54eef20c5b0a9ee1e407c5412d691e2fecc41f4cf4ce92b9615ea93c5d0014460daa554307db35de4ef47c25c516431d15d28efea7274909e99c3dddf0a34dd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 87502ac186626bac586a50c928e8d522
SHA1 8af25a6d191df755a441f7d4820e6ad3721ac0ec
SHA256 300615b3fcee9f9040ee9dfe80d2ef1082e95275da1679c9a7f9a594faf393b4
SHA512 87fa658de45bd85a2c92846c0791a6fdc38d1076eb0202ce0f8c4874c1c21865430ceda3f42273159d90b6e5d8ee06bc3f8c19d5cae11f291275cd9db4fe3c67

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b3e1e166d4765761af07257a8d030348
SHA1 08b0df069dda2f74639954841ce8e656a1849102
SHA256 2840d571ba1e830bbfffd5f45a1c2419126f7a3ea31f3446c41aa583306ed9b2
SHA512 75c17eea0d0f9abd646a93a62925adadc7c36d04da1bc5e6227d5f5cf4a0e0d612f9d1483b02d2bd2abfca7a95f30d650c8258c507f8a5a967c45a0da9f52548

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ec221a185303a6beee09e57cf7afda32
SHA1 1ce4bcdd0191ff98977f124642e7e96f95ce2de4
SHA256 ebe818f501ce1d151fe1fe20eb0d1ad4c975433a17df4bfbb75d0bdd80a1973e
SHA512 1f788bc2495401506e69b9aad1f993f44b35e63d2e436df14c0af0769cea0abef153681ab26293a61f4e260ac0b1e15594ccfae5a1c77fe25246b5856eccbf8c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 61d975d3731eec0369cc0d407b3a3730
SHA1 58b1750e2aacff301ee76ab4a002740bc84e1dd8
SHA256 7f5b2c30815481e020a36c3c65ce5d229051a0e321ec5fe6ce1788b56dd8493a
SHA512 82d3379f14bed2af2e1ffca5ae48f6b941cec7a3c9e17d79e76e5c42501a3c4a6626db2f9dcf9de23fd878f26696d20baf5755a3045157506831304cd877b9c3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 99b7469ab6ed2f60a60604c817b4b744
SHA1 699fd93d3d0d421c029ad8b709df0178e2500eb1
SHA256 39464c2f10c903cd1dc92452506f8a6c8c2d648ba54e6776ccf042963eeae8a1
SHA512 51ede545569c96caa79ac780dd3232b31ff360445295ae7958de562cec963d3ca497d2579c1cd8f26da39743f5aec4807be8b1e4e66333da72f3008a04b114bd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8016c9ae0bb119969d6bbf821d5fc9bb
SHA1 5077b7d7fffa9704cbcc40aa4f1672607e79079f
SHA256 9348f3b110fedc81984781d606f841a0d4507d33cb34f70d8d97da20a41e113f
SHA512 07516abcb5050ff11e65503997c7a3442715a9df3992b2d5763eec6a7303d76601a0c83c2d793bf6723ef9e1431e822bb0ba33e90a524dcb1f511644727c31e9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7ead76413b3736db449e370d8f8f1b9c
SHA1 6fd201271573d9a6f6d6d01b64a88487789dde70
SHA256 e710b53ea953ef516dcfa04deb4f6a59b833929a68e900985afd3554da0596cd
SHA512 06d222ce76b3cc812f1e77832b729543f51eaf12f3452587dd7b44b6feba63c8d539b298b6615c5d20f871d75a92685a286d3672f54adda478ba9d2c39a3aa63

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e09537ad096d962eda68ec96d514344f
SHA1 66c2910f2d6538520492fae1f603de0590118da8
SHA256 f7674b9ffb26c915450e89e1b49341a687f0b660848f9bcbe3d8de83eeb7b46a
SHA512 c884e8e01270df29d18fb7ed962e46bca7b087c8e79ebb4128cacf307de62e281d955c7076f28fcd5adc4411873526d7e62ba79494c1ffbb809dbd45eeff1b89

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 afc8aabc29d73510ed567e1a2ac7ca8d
SHA1 274b1ab4aaac335ba9e003981602464f54662640
SHA256 b3d29ce69e478f799aff684bbd15d025862a5f1c765cc86b9232d20ada754f1a
SHA512 8a52aa5c06b2c5b355e5a04c284997fccdb159c6bb6ed66d7cec6292f504cf71aa78cf98ab01c886410bc547e820930ef102220cbe32f3777772466a811ae955

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 178993d800686738bf492aeec8e3ccd0
SHA1 4155bcea7718eb781f8effeb92a396613ba638fe
SHA256 2429560341906490efe361d50a333997f129f4ce50dd358973c0238fca1a1ed4
SHA512 f6590bea7d51f9b47ed5234b676adbb784508856984912d808e8398f96bc21025c264ec6e4b67a0fc622638c4a0643541937c214fefbf91454548a8611f2168f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 51342cd7b2ed7dbc80188f5aad012b01
SHA1 1a839a120e36a2002625c1a9cd1942267966e0dc
SHA256 117ea7c3ab84bf3fdbc6d212700c88dd7143531af0b7fe834d5bd0c6fc8faa7b
SHA512 b2bc3d92b91d6586188c5514cbf584805614d84f0de5d257b901f3be1b2301689a4eb03110884658a6e7c214252c44983dc0cd9a04e2d3c6b42994313da67bb7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 971b2a16979db1fab7237e31d2d529e2
SHA1 1a3723d8056cd857c2dab7d7ada9c78fe75bea59
SHA256 f93ae7c9cc32689c6dd90a8c91d3105cad138f19300dbfcadad93dc02c752e76
SHA512 9ae0ac6fd3a6eb474756222a6b5cc197b4bd8576983ace31caf2a89d16f2589220089144e9766bcf9ed0b7cfa9f9de7e93a7a2a2b158d6d55121778899828aaf

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f607276cb743465b258cbbfd7011ff30
SHA1 2c1fd9251e1bdeb31ee856f660ee295acfb6840f
SHA256 0fd96ae15b791b293a8883115c5d70069f740f4e843dd326705f5b6efd80b9ed
SHA512 d29cd3e64aff2019f1cc6e783fd5087d186eec9aeb585a570ce29f04bf3be30b954d0b556658a31c5331e1fd0f758836f8c789e297d13db36472a18c9cc6f8e7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 efb12a1882d43b71c298db71cd434ef5
SHA1 f74357201e2c8027a7177756fb8a76db9ab4af4b
SHA256 035f1a02a097d619daefc2459fa9d58cf9bcfd4c2ae704c3d11d1817007700d8
SHA512 52294a29ce1b98811a067d95e4168c172cd49e517afdb209e73cab6b644db04ee2648a0b2647c2de9f4957918d896a3a5ab48ec1bb433179d55abfd551c9adee

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 55fa89efbcea97276f77d9dfab7bb9a9
SHA1 4a1cef4290f086941244cf61de32322dd44e09da
SHA256 143c809af5f817e8cde3b4153f8ce9e52b0acab28ea36321cb204f5aa34e4285
SHA512 3abb48acd87a67b02761a1f8443822d09bc0623a0e6dc44a1467ab74c7960302d49c8825107d167c9d8a4d657322281dae8cc3947bb8861b44acfb0d71c8c79c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7b7459e8e84d68f1f236105df168ee19
SHA1 05670b4d27a1a4740cfcd60890c7bdeddd9a49ca
SHA256 fa01ac45f5575fb2bb61cffaf1c6aac31282b15ebac1f2f98a40ca7e1874458a
SHA512 7f10aad60268f57a4974b5f085840201dc8300550eddbee4f742cd352e7bc50f8d441809347947ee89e6509bdcb85437eb27119309066ec9ac565917fe71fe77

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 13a29abf21920ddba2f1ac7f46a25e23
SHA1 3e1ecac3dc50f6b07dd726efeebec30c03676b8e
SHA256 bd1e112f589ff7c0bcad6502e9c0ffa807cfc0d4320eac264ec4fb9b2a4e5904
SHA512 8cefc838ca643d90a919364b65132ea1522e841880af84aae7893ad726610f019fa59dc7f78a0ce612392391d464bddffcfe20c0750fa25c44ee67dce0c2172d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 355ed800d84fcac4f3bd8b835940a5dc
SHA1 c1b4ba93f716cd0c71aa7819b22513bb35c083d6
SHA256 17c3c521edaf358434cc66947c8b7c4972a783a2fa99a0fbf942c87b9ccd8e56
SHA512 0dacc5bbf4b25c7e29aa22d267dd08f91277c7980976a06cd6492079a40ba3573ba696bc6009004732a0842e0ef2a6a531511cd5365cf57baaf723471cd0c975

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a1e62096f62855ce942b582a950615ed
SHA1 1df1f7ec5c3eea45cf24a52ec0fbb7b0d30eb025
SHA256 277c39152451bc536db7c2f896f12ae65cf2f744fee4d9da1775e1712776ab1c
SHA512 199ed738404567c7859d55e22ce8df65b42d2a0e3d58550fd58c43fc7fb7906aa517df7793adfe7de92c8506af80849924dee901d6e83d6399d78183837a0b3b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bf27a95e23709799e7aa03cbdb2f98b9
SHA1 f2124818cb1087b0ae34caeec7268d42705c0c69
SHA256 e0dd67f3e0eb86cd890365f9f6f2a4498634f8bff0fa7d98cf875a3c94e41ac4
SHA512 aa8b70c0398ac41afe36982373f6ba868d2e6226836f34ce8bd59471381acd1c5460067e46d07dc4e7a5d28c2456aba31570dfaeecb600bcc9743f6d471bb897

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 56bc42d66b42ca7a8c4a7517c1af2974
SHA1 04eb25f32966359d240c0bf67596c14e6296d55c
SHA256 97477f92ddc1631f9e00b3f18e8c0bf771e9d17655acb59664012fc07015822b
SHA512 81dcc23c910a2475d9935c5b7f86ac20360daccbe4f3988e1038ef3cc3dc5cced95286bf80161701659c1e80336376f8785dd99400af0cc6de48898f896fb9ff

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b956c06a0b5563c1a5440bcf0e4b2291
SHA1 4543a149103f20e78098d41fadbbf9f30629dc7f
SHA256 313f5a1aea165291b51f3383b2481e89814b3ec77583eb399eede889774f85c8
SHA512 42c46d4482054ce293dfc06564a54e9ae38b78484f14970c101b59581750bca0d87f1737534571aef696c818aa555785e458c90f794246d30a9051c78cb8eb00

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ef50d44d106dde489a524ea8314b82ef
SHA1 20da7822264961203a95e244becc7c7975199497
SHA256 926508aeeeaad569a633e8dccfa2c808292b6ca74ee47665682469d59389b026
SHA512 b0525afeb2fa76b1cc925510d706bbc2f3f4d17421ff32882a39c4d0797ac857313c262878a495d72125fbf57e7ae25c4c21e25c8f98b46d44c0095fb3ad3605

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6b6ebacab7a73f6aec4f1130acfa2c77
SHA1 741778e72ee9a9e265871d91a37d048db82373da
SHA256 c980d2883136062f52cda19d9a95db169d812c29ad2641be7b41d06b095b1f6a
SHA512 7e6b6ae2c5dc828613e830d35044525f930cc49e46682b14fff3e15f785a18d3b605337c344f6c68b4b98b28adfd64acaadae5c6953e4ead5da1b3b96c539d59

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 239038b3ee39e7b8f5184a4b96929249
SHA1 e218130b452f3a626f71919c34ef5744ac7edf6c
SHA256 36300e5226b96808b869754f91d315bfd022cdb1d4140e56829d629bae2d6cee
SHA512 29c6c10ab6a54a7e1fc580416d5ff1e19ac53debc00aa55503b8860e9b0884a6d551057d235eb974cd38b126957ad352d94defcbac91bfc921812273094bf5a8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c491ee1bdd68f1c9ecee28eff4feeaf6
SHA1 f3c53064fd118b14c4ceafa763ad1c8177984d3c
SHA256 d17747f47860d2575c7d284795c60237ee585bd6902255eacb1b9f94573227b9
SHA512 414a6e431e0eb69425b48790f047365165150acf18ad0f51b8dd3e3767d0bba9d2138bf824b3c78d7320ccacc05f7393eabbce1808ca30f2589eeaca0c371d29

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4e6b7ff21137a7d2d3c2157b5ae45a40
SHA1 730416e2e2ffa8c5942e91db607ef9caa1639e7d
SHA256 30adc491258928ee8a5abd9acb30091ebf5a41591ff5c318d824236e99345daa
SHA512 06f9cc24f2516861ec6ad88f28630936022b1a4bd772bcfdf890c8613e86bb956323eb04dfa4c5df358bb75beb6dfdb520112f2fcf1bd43c26ce0e3db2f49cbe

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e18cede1bc97d89c046867bf18c06d56
SHA1 ea0693b040dfb664ee608e301beebce0caa4d2eb
SHA256 05efd1d29eabe2f836c899384968d0cb07f5c67c296065570e2befc378a33afe
SHA512 c1c5b8ad9c577d9a4e0ad34a15fac6fc8fd3c41f7beb0bad3fac79e47fd6cdcd2f5e035457e9ff9da6791de07c6af533644c65e0e428f2aa2d1677aeb681f9aa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ae6a320b85b9c661bba19fc3ddd0aea3
SHA1 f31b4661f35324ed3cd31179d488cd5acc2c8394
SHA256 b3a91c0d33ca04d0d937b84adea4bfee05c4f363b50538e961a3bc4e332455aa
SHA512 1480363ab4f493306f5230203726afe4b75941d216de88c151b84072ff836a7d6a9f5e92518f4290820af569aa8f55631c13fd74559ed2e450f7d537f9e0033a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 487709ebc7d6914eaa985a9929f3f7fd
SHA1 d33d8f23048a9dcd06e2dff3ca9ec65c9124f299
SHA256 0afece86f8f3c89a57652fdffae836dd7414ccdedc858c3bcb564b161c0d201d
SHA512 4cdba7e49d83ca03dfe37a56588d0334f342506c9aaf106efb48888567be17c0b8a884f76ce512ca78276eb6173ad8e98631fa1f39aef032bfd42b9702a64c62

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 041f9c5aab4d933139ee55e39480a5d6
SHA1 051e762486582ed8da029dca5c51b8b42151c93e
SHA256 df3a416d1fdce7f1eed5b394cfd4e311c0a070258d37c45f93e2bb7949e87d51
SHA512 b47525c2e2861d1871c5532eec49a924fe7b506f00d277500bbb7b701ae982de901d28074ccbb7dfd31c71fd2f8b80d4c2dbd493523a2bbdf24f7745c8815504

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4210ab0e64b4f5aea957fba0b305091f
SHA1 8a53a3163ee29850f76cb62b1ca5fcc17f8976dd
SHA256 a911a646cf05cc465677c21813f14f14a90b6c18b58cd7888865771d0737ec35
SHA512 c388a1356f1cece78f8ea53699c57fdc7db9876fb0e8e070736b750831a801cfe72e638b43183dade78840f36b9802c09be6561cad8589efb4c81d2c776146ae

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 19b608e31a1ae81b408f2de0dd017bd9
SHA1 91a5ca3da854235782757f396b9fcc0caba1c1bd
SHA256 8fa45e383249ce1f5c9c51fd7216a0aa705144e288667edec4f103c4bd2a3fcf
SHA512 064f90d68dcca373382ae8693135c295b3bd665e2897b95b003a443738d114b1ea5102c60533967179ff17d05ea5c58a4163a29daec254c5e2b12f43a6a61b4b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b647e7fb08806fb297648fc5526fb1eb
SHA1 c1ec28b9877bd35c9f408c43f7fe8ac1b3f70376
SHA256 43744f3c52ec8a0a97e00b74dc9e42b440127c4ac2b724c96e052ed4e921219e
SHA512 16d39b199936edd8c56f8fbcb46fe26d55f514ad41e3485c6dedc3856f13b4191fd7446e2993052692da82bcb3fa1c3d8bac6205c6e75bb20de2fc168793f014

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c7228c412c02539fc38f89b04f12463c
SHA1 0e833ca3c5741577a9b482769bd3f60310c3742f
SHA256 eb77169b2df2a28d31b4bd973c9b5d2f37ebc5d02a274365e061fbdd00775b08
SHA512 29f6c0629f0298e55cf84323119eb26f8c9ad8383beddc3416d5e2a6575fb65f95538ed7973b5fc4e3e6d82b3c06ad65706a9c6ddc4de910f1940543097fb8b0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e742e05630d59f18ddb16bd40032a199
SHA1 b5edd47ce083523cebb35cbca8e16657fbde4c55
SHA256 9cc7132a327e9b828c7135f6618dcaa02c8e5275929f34d6b7ab618f4f250101
SHA512 e33d648f039ac6fe58a10ae2580dc15528206c38af3ea48db41612c96ccfcfaef2acd0e663a0c5f65430eb23e1c0b774c0139caedc5509879bba45d3296a1d33

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c34b4abf4b9ee285444539d2575afd90
SHA1 f48700117f65cb3df196ae63e85ffea156e8bb5c
SHA256 02edc7ff4562a86ea7129390fada56dfc61e64c7dae3983cbbb3a77992878e4e
SHA512 35101b372a9d2e5ff18b885ce8b0536d835299d8ed05267867d81274e43a03a030876da88ce5e759654a5d25c2cf7666075e7da9dd7c98bc0eb56856bbdd8706

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6c86fb4da6838281c92902ef7905428f
SHA1 7e1d1076c512999dd38d5f1f2411ddcbdde442a6
SHA256 a8b9ab1d3569707e068142b0b369160564e7a9e9d2e48a4ed0258efe7f7e4be5
SHA512 784fce990720b2fd2b07e77b1248444416c04288a89d936b5d5511eb7b3b912a0888c1ce8fd29496561365fb0121ee8896b2f86a60b39dfc8152136776b3e0a5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7615ac278099a26b71f7e619f729b1e5
SHA1 9613eb867f683833dda9cf8c2e15e5871e262cf5
SHA256 6caeccf7986972421b9891845e56a10ad3f177816206a6ea8d8757d4811f585b
SHA512 3cb8b5d98edd4d2ae59a7febf3584c0768150f8db828a968ad0f24ab4319444546f03d60d069bcd31dc809c8d8e9a44e9f6fcde44df554a90af02af51b6b1c6d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1caa16374c527cd1073f972fa6202eae
SHA1 6e36992e0e256a888e9f1e94fee39b4fc9143cca
SHA256 d6b40dbdb5c80083067517397947cf58a0cf6c684a771978cd54eb27a4607a2f
SHA512 dbc4545b56e5b9005f4b8e6fa4a169a0e398f561b2e4b621605ce9b8d9cd86b3106d433dfa968e3b74191877f7c90e60bef23bd91f25decfda50fd35fb69d683

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5127781c5626a9cb4fb61758199cd1d0
SHA1 04e76c2d83f594017d3a2144bcebb1709509b06f
SHA256 4ad6dec9cc157fb71f3a85fa30c0be553ce4df23b2227340ac26f469a8ec2098
SHA512 8e2e51aae1e9e2650500cd0ec04137547a623798255219207b3664a26e82da34802e2fcf21a1c8facf09a58466ed5343372deabd2f2fbed6c6de36c3c7acf01e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c341be9d122545fccf080f192030b032
SHA1 9000be5043825e952ee0a101fbad9706dd663905
SHA256 9058453ef4cd640ef5cf939f0fb42bd939f19a3cd02ed5845270941673fb1e60
SHA512 a316a0c012cecefc3a477e387c949f51c22e6637528577e95bbd40a62e24e9dc57d5947e3421fe1817a7826a5c333a82e48e534612c5199954e97ebc0b60c6b7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 651543288a3a86837e218d949636272a
SHA1 21a906d7905e9272f4049d258efc95bb22094227
SHA256 7058860029176cde4a20aae977199d4595f778e5cf165007b82b589bc52aba19
SHA512 999f7d4a83ec9135e4eab0f39ab8c2cfc0d35817925670048ab3b6d19599bec3133b51bc50e69f344c5c9ce924a7d080c02382a2b603674046863664dc00b1df

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b3860bca0e9ce79d4a7cdfec3f914446
SHA1 9fd7fba1271d7eb55357c1484d9b7d14d728f3ac
SHA256 3a4a8cecf61dd83e72dba9ae84e3645a59f64027021f19eb3166e4c1ac58b217
SHA512 a4351c1ce915e4451cfcabe360df731c7a9c3a33a00920ff62fd5f419023389d44ad2718d47a6aa2983e0eae5c210ab8c9e6efed64ea8d7bdd7e9bf734fa8109

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d91d4986b84e2a1a03336e943f98f594
SHA1 33c02ebbd30e7fce2f3c46a662bc12aca07396cd
SHA256 1e57c70cb085e8218b2c1fb99cd08895aa8185dcaabc6736144966bab37e25ba
SHA512 7fd143f01385528483f62a95ad48f2b5294f954d5a8c55080225282f984e80973fc8a76e5ed1c594e0dd9fd2215a1eb111590f21fd11e11e04cd68aee856d9a2

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ace89eecf7920d8fb9042d77de62984a
SHA1 44d50cd50f3979f19998c3ae271404c106f7756f
SHA256 643a2f812b2e25aa292e2194cdde434bf69498cfd6f0eed773dbca4083eef924
SHA512 c84283463efeea53c9cc6ef243d51ac097174b1e3f5f0569d446ca03d6f65ffe8c094018bb84d7653ef5fb57e5c65fc23d1d6e1c990e2e279e1c5519bb341dbb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 04d354369ad183aef770ceee8bd49768
SHA1 ff735d0e3f0517f0c2826258ce96a3cb168616a8
SHA256 36a853dcfccb0b05ca6c7b83441a8c053ce49b9972aad50bd569243787133ffc
SHA512 bfbea59e10f436e51400ffd9b42a3842b2412e64ce132a15bd5075a862318e4790e2ca23286e2288b26a6703385cba6858ae27f50c5df066bd2a680e2bd6cc97

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9c237365b9b9028645fc965d3e4a9b19
SHA1 a8ddcbdb4d80306d4793f7c5c441edccc28942b6
SHA256 7155f9e3323a84c62c5819732130c53a7a090672cce779afd9c8aaa35f5f4ac9
SHA512 e73422d2307125872d26db3b1dae1777a94a8fbd3ec8e38fb55c7e5101b2533cf19055def56319a579ae961f86ee8e5200cc014d54d304bab084fb7129e3c92c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 99c36609f1bede0c679c0b7141e20c26
SHA1 b050fc724ea757327d1fd106fdb6afb5bbf6d61f
SHA256 98041e02ac60f25e05fe560fc9f8d99775a6871db4bea9faa3145b42719c51ce
SHA512 8cedae852cbf5fb21e676ec00b539e57119b675289cb219b8796c61875475bf369d78c05768dc8a1590205121ed2508338d3b57e204f00d84367342f5f27278f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ae9642c366f3428c9f3c41c806e595eb
SHA1 f33b0cdec05d74040c3e07077a5d867a123261cf
SHA256 3ddd940cbb880aafb9e27fc808f5ae45683c61148ddb2deda66a84aa535bc20f
SHA512 14f9fa8b0323a6dd24e1f3ab51512d1d23a86403ce109543c306684afcfa1d7bd8aebf897abefcb3d787c16ee3fdfc6e388e8f6161df184c46fea631e161284b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 14a5ab175459d3c59bd4a500946f4d48
SHA1 19d0f5bb1d5efc65cbd3340b2e570f73fe33e8a5
SHA256 b0e3e2c4ae2a5ae4d4d46279f83fb94be377c089ef1d7a38b6cb3c2a04667678
SHA512 921f43ca0e0b2c082b5e1fa7b5f43c43ad2fb767e283640cd93585f24bc6f0d4fb4c8d02abe75ed1d0cbeb21cdb94800b57466e98529d2b472c0e731454093c4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 916026308a95a6a07e0689e3fff10fbb
SHA1 86a06a2218c7f9204f861d27ae43b2d3305e9915
SHA256 77d73a38ec7cedbe68540dac5f123df3cc92f9aee2e7d7476fce1c1fc273db38
SHA512 19017dd82258b0e30c467b7143f4cb9c643deb297bbfc13809b590262ea9f44d326fd1830396fea34c8842b30b53e0b120320f50ae81a6f124a02a0423862cfb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8d9515e8aed95da26d20527ab52e01fc
SHA1 07ca6161a21f2a2dc89c192db755e31819668f93
SHA256 774b60b8d3f0cd2a7617ea8fdb081de8465e44c1da60b26c3c4960227db0bb9a
SHA512 a228ce8d6908329c4e6e066956c0d3d1a1c70796f5f5c5f53f204b68c59607e5fa66766683c0b94b9d915a2ae97e0ee3de91fd48e589847e68be7a4531d8b95f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d8ca9cd12d0f8087b9e9ffe6c78b31ae
SHA1 fe9469dbdc0232d8b1a0f236e5d9704cf4bbbba7
SHA256 afc4544833c97ad80a45468635e1838e83f4ccdcc33d9fb356be9da1cff3855b
SHA512 c68e0116834cbb6e356735c4904f77eacad8a11252fe8a36aa6d7d2467d9212be6442fdb92f6d0daf5b2696a0fb4451aaf937f6ea7a3676f779db9c816795bd9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5021949c14bad5cdd306f0df3dab8ff1
SHA1 92f8b1e459c150f8da5b5054a8773d556f180231
SHA256 94ba9a37df254ab4b2ecfb73a615b7c9f3b6fdb9433576ce4238c9cf77cab982
SHA512 e7da9bf032803c7d3cca38cd71e87a432e743aa1bbc4d3b833e41053c0042bfc91e367549f6b618e6b3e990eae9f81d1ae33cf19766a845e1de31ccb19629002

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8cc1ddab52642e841ed01970b9e32a32
SHA1 0916a944066cdc86dd22535ca342ce80ecbc804e
SHA256 0dadb1939a8668e124c9fa10263a7063562d8daf10b7cc701e862666e74824ff
SHA512 c2d822d40128d7a3e26ac3342f31c1c95e7c6c7e14d8bb4091d9b1994e6a4e64b4f1936a1d4fd5d91ea9815572bf173d8df837243e09b51e6e796788ca657b44

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f9f30761a938f67c81f9ddee8b30c672
SHA1 285222725756ca0f9e777515897d883d14043e3d
SHA256 8d2ae320704cd39506a7f03268fbeb382794a3bb2e8b6a261c830df8aa7310fd
SHA512 ff4703ebbbec8fd41d28999267fdce52b13c4ad93bdad63950a9623651de52aa5992b2c29c0f45fd043a9a27c958cb6f55a00066efb7e70187eb33d181740d0a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0220fa428bafeee2a06a4283e3054b1d
SHA1 4428afb95f11c29132d1a348fc879fd5c92a18a7
SHA256 a3da72edd2fa079043688988fd70e95c2fe235d015ef5995604939709b070f3f
SHA512 227d4f47fd64d2cac760f57580998d1f1f1d145acc88dba3db841fa16e7f4d86221b449ba57570130bd20df4ada5c15dab43ee9dfeeea9866f9afeebcd2c9f01

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 28c9da920bf81c358142c4e90e022656
SHA1 b3e9d1adea9d27d660ad4f1f6c10e020f156658e
SHA256 54cbf07b0cea176d4776ff4661d347746be7063b0cb22d6217c734ea0a316184
SHA512 7d4115fbc20753862e8356fdfcb9146b5d5987bd9976c512d3336331d91c8a924fec1dbb921d4418f2a430a1f68f2908481ee272350ae0bf5c32434ca983dd96

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 99631715db5474383bd0902f7a563f56
SHA1 f3cc5eaec19eccc527f2bbb107066f24a42e59d8
SHA256 84d9191291a9f52e809e9203bc598789ee0e6c015b47046c26ec1b1b32cf0d4f
SHA512 977e387976dafd58feb97957c2785582142bf9a8ffe3802d1bb11be4bbdc46b1ae279354ddff87f8cb790ed4505e6af2af4eb540f7c23f4c64a4e8386694a40b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 643611749528968d4c5f90cfb389f2c6
SHA1 a2743a7a9fef22fc27033531be9ecae3519b3a50
SHA256 5ef1fd256c59b250590bae168a5e1ae08e6003662d5690ca2822a55e7cebe0c8
SHA512 11a66ffcb515201234744fdf1f70455016f8ddeecbf5efe5c799ad813baa4578b2dd566dba1978c63fc14416dfb18025af354b1329ed1d240e550008f2e3f1ee

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fe9fcbf7831960e9e92d035281ceb8e8
SHA1 811aae6e53b4a56c0dff5936e9abf2df7d25518a
SHA256 5367a8b803f7cb0c033e6d19203ac14fc64b4fb593ed40890de20c0d8b787287
SHA512 92641bfbc4b04c8211948b1c922440269f0597615fc8526a763d1ba1f4eb95e02a95bcb83954f612f7182bafb0ce557d0819fae6c5429ae30a962f5c64490046

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 12fe5a517596d6781df7d7fa7d92bcf0
SHA1 9ade9ec716a808cb70a5a19c64468060deba7022
SHA256 1f0518c0d4c011a0d0acaba92b869024af2d0a1e4fcb18fed7055d8af9b53062
SHA512 f665a65f61ee83bb6eb000fa518245cf7652d064112f7a9819452aff25c1746307cd1212069b9657ac868d0681e133a45690be720649c5d1daf75c9a8e5732fa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6909e7fa1f017f54e8171174fb13d57b
SHA1 305166add3904a2a64c447cad36897eaece97323
SHA256 cd3caf25bb780b00cc45175e0260242f83027b6c9f2dd92da90c3ecb3fd3dff2
SHA512 f786c75cb8a82254af97379714e477bab24834579778cd9a474eab9fbe0156b2d82fd08471426a6f617a6d09c61514892861717f44bbea854542ee828b93d3cb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1c0f696f84555d5417b64249ef5986bb
SHA1 49733bb7475d60eb253257d1187dfc1ab675716f
SHA256 0a1343846e885ed92f4b43c0554e128812be0eaa17103fb892d8f8c23bc2a552
SHA512 60d9c68f95725ab03f61408c5044db2fb6736e3d59dc69ebd75780a8eb4885d8923bf02e6a380387cb57777bf50cc389a6da9651e0a050f8bd5c9c586d08d78c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 657454e19faf748b262faf86c4518f78
SHA1 ccf61d008ce226e0993b970384418fa1516398aa
SHA256 1add11ebebc02bf8d0fa0e5b092b92015703a59af9208e9bcd9d2dff42009e48
SHA512 84ee9d8afab95d3aa7a5cd840e6bb939c88d99003eccbf94c3c220d783eb58c4b2f3c74b646c30b836ba54c1a8d38c64b8db166d5d1493a2764d63f623a4fa5c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 89b30aa3e7223b0afce820a4b157d301
SHA1 01861fa549c9503c0c0964428e4a48eb85bbbfe3
SHA256 8571e26a3dc80f050466aafcd362092ca6ccdbd285ac85be8f4d0e1e5dee4055
SHA512 c60d9dec2c1daab98425a044a9bdfeed3d02e49944858d801d2e82fd062dc0156a03a1a31269b64f9530303bac0219acbd9d4f8a874909bd92b23e84c1b4586a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3337d3454b5c0c62c54d561547c3d389
SHA1 d90331210745c5a9f2fb2d1a1cde2f5f5c99171b
SHA256 87ab7bb2c12d78c5bf2860e644059c8496ae473aaad0a30926d3fd9e25ae315f
SHA512 9d1501815839ca835627af47c6dbfc16985b56f55db31316222234aef8d0b7965b4dd198dfbd6c1a35ff360e8adbf1e81b0e4aad919bc6a7ce8ad08353154d0d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ba1d355bbe50a0cc0a018ef108604b5c
SHA1 b38f50cecd95520abc64c979ac9f09ebb0e90766
SHA256 54cbecae388ba272ab37083ea47327f2b8f75da5629646f83a6bbf955ba240dd
SHA512 637452779b078262ac15dd579fa21c83d6f71e70e27cec199fe5c226a99cd4192daa2c0b10b78f90e97e21d9467a6494e0a7e94d92636f593d1d78b940887ec4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9f56b56cc26ade4b761790d1381c6c54
SHA1 3f505562ca28c663827eb6c6d236977b3574e0ac
SHA256 54da561eeb043a591875ba93598e1dd3a8b5d1d4d9e4a165cd02fc63a433dc54
SHA512 6df321712022617c83eae7cbfffaf532b947785ea2409bb86263ea47a4c974eb677a8470bb31023ad432974181b15b39e6b884f6ca29a7dadef1a398220c0626

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5422ecac542593003558fc478d89e317
SHA1 2f46192b8dfbf59d52be46a1fb08d106e886e402
SHA256 b2bec616a37ecb07a7a5c42cef2ff3a905185fdb49bf31484c2de3448b66b431
SHA512 6545b580c5585d075bc9da221ab9561e1a3a57b3e3b29628d407ff31688a1499a1286c03d5c9da4f7f9566562daa8933862fe0cc86890f14506b8fad02cae5a4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ec6238e51df2b030046cba90471c1175
SHA1 2bc680345830d2dd97fa3bbf89746993ad3f5ade
SHA256 9e989bc1f9ca1920d36a5e8b27b667d914120eb33240312c4ae145bb98df785a
SHA512 cfaa49eea9ff6a7db740a937fe797cc323aa196f2725511cc8f985f3346077e8c9033579454091c70066b42ce9fe16070cb74327348fa4f5dc6c9cfda41050c4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 797eb1e37902073885f51f6da29f1786
SHA1 821b1cbf24cd7ef7403b728fd8c6f412615e5583
SHA256 263fbff929b435daaaacca1faee950296042a841e380943057b721a4b0aa91e0
SHA512 0b4ab5434ad0895e0fa630f02bdf4698a60bd713ab705e6ad2e533dabe50e3cb44c00e244b4249e1576c84b3099e88c36987d8e7a598f2790a6f56bb0914d124

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a3acb7bef43d6e9621656ca17bbd131e
SHA1 4d2301ab5bbdf9d1b98dad3b243723b063d6d229
SHA256 a7251d519d123ab1c1340c380e30dafdfb69e065098d8946e6ed04fc0978e926
SHA512 ccb9979930f6dcb4643d09b6af3fa3e9d935dc6e2e7b9bbfcb94f702f2023a16b835b6302bfbcbd9ea9df65bf13bc20a25fbb3e41dcefb3b929c5c97382fc2a5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5ef4e5dbaa6dcb1316791fde4e072efd
SHA1 65fa613bf31a5d09db1f0adbc89e56beedfe8c09
SHA256 31c6307c27ed0e869d0de90dbb9e80bd2d9d41c560f91047248b292e297f0d0a
SHA512 63c1df53d137a110b3e0bfd05ce6f9fac5850cc2976f0953d59f81a13031a70542c30916812195bd9d6b0ab8f2541bb406e255d46da4f23a2ac1a2fc9558f53d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4e667d5b4733ee566e0c5fe31a62d546
SHA1 b565dc455393045a789000fa520b81de3c347275
SHA256 4344ac2baf275d2e860a4610d39bb3d0a8e734e83888c3ea328db98b067b9a52
SHA512 e62acef591a32ad60f40f97022c2d498a85a9fa8fe6a901b7151f0c945a78a488c140f87fcacc3edabe36853b7c702b2e4e8ac22b2fc7885df6a4f4a3088cc89

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c5203783f0f5731ed55a32d6f92490af
SHA1 063a9ec7328c110776cd450322099693f8649ac9
SHA256 cad8c348ea385a1eacc137ff76e5602cd66f92ec15b0034f01e6cb31d31bf19c
SHA512 e3ea73d597bfd5fcee54e36079acba2d4cebe7ed837b6b3a038bff30cee513aec25309cb8c9e48fda9715ba1aa1798383ea692e3cfbbb636991db984c5ec25e8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 13189c75160be0b76d10602918d9aebf
SHA1 27962160262d09f48953c74bc87c5584d64ab73d
SHA256 b11e599b5808a035c396c069eaf87a8383525516c6439e7d9229eab922158c97
SHA512 0f201e97cac84eb1e2b3311f34545d32922f5b35d6b2c835ae4583af1642fcfa1a504dcf960ac834f4d5793254c8852f4ce5fe9449035d1bc5a0d689cf12d9f6

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0af44993c4f2093d0013a39b02f2cc42
SHA1 dba15039189676de5570d2a49fb56d353f89a6cf
SHA256 86460287d7a6679acec4ee567eada762a5b7fdec33f4f7767c4b7c9bc3aa1d6c
SHA512 0350ef035a83223747704568b0e0f05f4879b0d4b93360bd07d2d2779cc2ee31c56911070068bbe84407e549ee988bc3fbe9bcc736c44c30adaac9d63a0ae93d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1ddc78e94dacedac977841571c35fe50
SHA1 1606bd79cdb9d27bc728c0e61a95da15aa8bf710
SHA256 0209cd1219ae4955747273a84f7370b3345631681a8660395ae938de1af1ca8c
SHA512 a62f7a7fa8a0ca6339a70ce456f2a411fc2d82d0b0f499547d578b549e66173e311de20356a5d313934e205a6aa2838594e0edc274958cb65d44a54954be1c1a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a61af39a4a066299f2ab16e148d2f5dd
SHA1 ad64a033dbe8cb946eb4f326d09572405a435936
SHA256 97f577a1e26c3b29a35a2ff01760455161a2b078f4e62fe643adc76845d57029
SHA512 d004d5fb8e872d362fc198615641dd6b61922700279e3150082b943147c1c50946e5ac2da99a8adf9369e3928c348e3fce27228969cbce6fa922b91f5f6a13a7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5101e72d2f0f8a8fd6f3275e8b01c673
SHA1 eab78a365cafe6f2c7b0a995a7200b67fbb0efd4
SHA256 e0aed7c395497f77406830456b22b494e17ed51801ac0e7fad509c804ccfb214
SHA512 29377864bc49d88d8817aaf072945b7cd193b30e454da17dc8a982b06507d34de7cbd825ff3b8bc60537f4368af8be2d11a17d997835dfde7feac779ae236189

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 94328d45eac4989959691c9e93f0da1b
SHA1 d77a9167d513c180dc7e969ddd19bc9c9556f535
SHA256 4462cac97c59ab0ef2eed825854f803aeb5dc397fd941af4bfae222e4cb4182c
SHA512 c374e63c0ab179b3431d6628c311d734e319cdb12dfd903a25ce8f2953c4cd7637fdb1d79cf4d8f82c0135eacdeeec881af601c5bd45ef4867b382d88c3b8b24

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7eca1ee945082ed4d2625b156576aaa2
SHA1 7d416cafe78d7a8a8d491cfe26f47fa80b4e0e04
SHA256 916167bed68419a8d40f7f34a0d98f29b3a4c6ee9966d6a2d5c2cf958f06c49b
SHA512 b50795fa66d07bdc9490dfc97851fcfad888e7a241c5b1cf70635de23ca4948e2c9ec0705c380340d6ea3aae7f053605bbd3cc4588826084195f918256c377b7