Malware Analysis Report

2024-12-07 20:11

Sample ID 240827-l51w9svhjd
Target c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118
SHA256 3e8664998ab309b5348dadd6e92e64fa1229ff63a084f2470d605d892f1dd445
Tags
cybergate sality vítima backdoor discovery evasion persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e8664998ab309b5348dadd6e92e64fa1229ff63a084f2470d605d892f1dd445

Threat Level: Known bad

The file c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate sality vítima backdoor discovery evasion persistence stealer trojan upx

CyberGate, Rebhip

UAC bypass

Sality

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Deletes itself

UPX packed file

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 10:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-27 10:07

Reported

2024-08-27 10:10

Platform

win10v2004-20240802-en

Max time kernel

22s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\install\explorer.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{432X5K5Y-4Q88-H7P1-47RH-LGAI4C3Y37W1} C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{432X5K5Y-4Q88-H7P1-47RH-LGAI4C3Y37W1}\StubPath = "C:\\Windows\\install\\explorer.exe Restart" C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install\explorer.exe N/A
N/A N/A C:\Windows\install\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\install\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\install\ C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\install\explorer.exe C:\Windows\install\explorer.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
File created C:\Windows\install\explorer.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\explorer.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
File opened for modification C:\Windows\install\explorer.exe C:\Windows\SysWOW64\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\install\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
N/A N/A C:\Windows\install\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 1100 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 1100 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 1100 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 1100 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 1100 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 1100 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1100 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 1100 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 1100 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1100 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 1100 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1100 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 1100 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1100 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 1100 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1100 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe
PID 1100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe
PID 1100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe
PID 1100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe
PID 1100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe
PID 1100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe
PID 1100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe
PID 1100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3588 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\install\explorer.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\install\explorer.exe

"C:\Windows\install\explorer.exe"

C:\Windows\install\explorer.exe

"C:\Windows\install\explorer.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp
US 8.8.8.8:53 1000keder.no-ip.org udp

Files

memory/1100-0-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1100-1-0x00000000008D0000-0x0000000001900000-memory.dmp

memory/1100-3-0x00000000008D0000-0x0000000001900000-memory.dmp

memory/1100-9-0x0000000003870000-0x0000000003871000-memory.dmp

memory/1100-11-0x0000000003820000-0x0000000003822000-memory.dmp

memory/1100-12-0x0000000003820000-0x0000000003822000-memory.dmp

memory/1100-5-0x00000000008D0000-0x0000000001900000-memory.dmp

memory/1100-8-0x0000000003820000-0x0000000003822000-memory.dmp

memory/3588-17-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3588-20-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3588-21-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3588-22-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1100-25-0x0000000003820000-0x0000000003822000-memory.dmp

memory/1100-33-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/3588-36-0x0000000024010000-0x0000000024072000-memory.dmp

memory/3588-40-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/4828-42-0x00000000013D0000-0x00000000013D1000-memory.dmp

memory/4828-41-0x0000000001310000-0x0000000001311000-memory.dmp

memory/4828-105-0x0000000024080000-0x00000000240E2000-memory.dmp

memory/3588-104-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Windows\install\explorer.exe

MD5 c4c921fa95f73a8404d58d4dfac91271
SHA1 0b2e4a9a91e7841029c3eacbd82f5b626da2c740
SHA256 3e8664998ab309b5348dadd6e92e64fa1229ff63a084f2470d605d892f1dd445
SHA512 1334478916cf738fd469cb1e2ee9b9fde6b0ee706b3f99c31f559126b99fa75bf4df7adfca2a37e911cb60f08b13a88dfa190cb3eee5633849e9d8d2e3f78c4b

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 309ada5218d4e2c003d32878965c89f3
SHA1 8939194e2abffa4b3ec0f992da2e031162e7d9e5
SHA256 96b485c491be82f00d160fb7ead994b45dfb265deab9e8351a445b556c62984e
SHA512 3ed5a3342865c96c64b97ae9ca35de724044794339e05435e4596fca9fda6f2df70822ed8d4ea1b0efeb232ce03fb5b47485a8f11c10d92b05e3001cf715966d

C:\Users\Admin\AppData\Roaming\logs.dat

MD5 e21bd9604efe8ee9b59dc7605b927a2a
SHA1 3240ecc5ee459214344a1baac5c2a74046491104
SHA256 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA512 42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

memory/3492-129-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 145500bad5aa6f69cf270dba7b7d47ca
SHA1 4afeb347f121dec4df3899afc6aa49d37085e00b
SHA256 fd99e00d2cd2036ce5a1f5784cf944633c143299005ed1b64a4dc6f8d9302611
SHA512 3390f7d563531cc1e31c2b3ef139484cca27ec22ebe806ac7fc551a41b7dfc6adf41966521533151966c6dbfd1ee06e9c866505b76d3422bed95caced4fba39e

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\88603cb2913a7df3fbd16b5f958e6447_03d68389-5a68-4d9e-92ac-47b927e624dd

MD5 5fc2ac2a310f49c14d195230b91a8885
SHA1 90855cc11136ba31758fe33b5cf9571f9a104879
SHA256 374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512 ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

memory/916-155-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3492-168-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

MD5 8b39cae30b1791258105f0e31d971556
SHA1 0bbee33b5d77afc1f47dd5d98a2267b3817e9ae9
SHA256 d49ea7a98d8cf5edbbc463a79caad75b42f2a9dddc8bf6ad39f2f64e6e628ead
SHA512 d84852bb81e463ccfc808677a4a11c935caa2c85b2318f6fd81fa0121773c67687c2fa73f68e2c6bc2397a0238838ffcb7b982f63ab2b437a2c2049956198960

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ffcfa7d82a1cf36c15a202e19be05269
SHA1 98a25223b8e5fd511be3126a5bc1ed770b737c3f
SHA256 a480a5e9040d2f107739cf0d3b8c15a4920662da544258a40cb0de0490480d6f
SHA512 32cf8e3b03ff084972a3ce5844b8bdf01b1e4a2239e6eb1c10be3422124d27b678d2ba5e28eb35540f71d2e34684672ab823ccce9bef8decd7ee2e96ea0cb864

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 848f0113be4d426cc5e3607386e36507
SHA1 b30c077d9b37bafce7fedfe2c49842333dfdcd36
SHA256 a877bfdb981a4b4b60b974602c3773ec534eb803ed53c1547b68ff8650e5eb3d
SHA512 ee7d0c0082dbfb22bc3909f70f49c7d1f4b4b8031bc1831504708d13c3ad8080ec352bc62f5b2edbb438afc72a147dc284f10f531e3079773cb120f8713191aa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6b6b75b0efcb39d44aed7ead739fc188
SHA1 d3c18b5702634d6c628463b2dc69cce2af2d1fa1
SHA256 3c2a4e3f10caaeba16397677870d64a65086f235995adc5d34d227e1e16aa034
SHA512 7609bfaaae10aca0d2176dbfd1c909957baa128b3e0edfae60b97b49d872bfe08bb920d85ea66be38081a38a1c926b5964f5d732b469bc878704369cf46447b1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6291694aaa33feb4d12ce904df46853b
SHA1 774cc12df80fc6cbacf52a0e5b96df69bcb318d8
SHA256 8a0083f24ef7d52367a1d7efbb4bddc4698636c436e5ae803dc584575848596c
SHA512 28475a246df012cd79e4745fe714c1ef8f345fa556c0bbe6fcf36b76aaeeb9ba699278163b3d08d4da6e7efbf7f43d37be05cf6200682461a36fa73409273cfa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4e8ad1613fb1c2e7fb843c158a72c522
SHA1 d3d64d425e9b3106c2bfbfcbadb940e6f4998761
SHA256 10ca7ccb5a92077b4d5656282a2708f8f7502834a74a68511a287bde158165b9
SHA512 9dae47c15b5aa1a77aa4af89baba825f4db25d57dc474a878ce3f8af65caa7dddc877180bbac9453e6a2afb698c028f3c07b5598fb9a0a34e1e99455a9331d3e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 af8ff3f5a56b71405775c8a3094e80da
SHA1 11666faa0fc10da306450d7022d6a70fcc050d19
SHA256 0aa3a0be053654cc31b5ca8a7baf7fbd71d50b986fbc39fc234910f787046ab9
SHA512 28cd31e6bf28f455aec7c77c83a2d4bffb117889f5fee192575193aac3f1d5d14ba7372987b4f9741bc1019c0c4fcfd4c9a62d6bacada496eee0d7e98d254ce3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 baaf16ecc7480698399953f99373412f
SHA1 2ea72d8582b0a9983593f0a8ceab1d4fd3fd3533
SHA256 908011bef360ae02c319e01eeffc8c76d2c6137438417707779d3ed2fb503d36
SHA512 e420c9997a0131b018cbf32389a0b46a0cd82479f725a7e310f467f041de76ab3a1e2c2032426348fda5b9e244e3814e41fa7800b353094c68e51666ef03297f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 326e78780ef2649aed1cb0a132fbae28
SHA1 0e62f460f2ffac9b17157c69474c321ab2761383
SHA256 42f6aa30722851edb1def45aeb4ca6c53a9ae731feca87213470c8839bba233f
SHA512 e9787324f9b38dd0876dc753a42b6aa313bfaf4e5f50ccfb4e1da4815587af828efdba3c3d53e37e69fd44cb7365c016d43425e78603a2f37253219781b89171

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 46685ea9df39c4bbd3b10dcc8a3d2f90
SHA1 84ef4dedfc0aa079e790286dbd491f155cb16f00
SHA256 3c0c16e19776bd64435dc08eb46b6cb84515c3f8fceaad658e9811a2bc567b84
SHA512 aad0d32f3357866ba85180a1ee94814d5972a73bbafa011c08b91fbae33592d7a7c9fede1cfa97e10446c5561f972105090a16eea000161d0c5fcba147052f19

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1d8f82dd1239aa5c4b4d2c79f05e1acb
SHA1 03ec4fc2d3e04e928a5727bdab73c66b5548dfa8
SHA256 337fef1223707aae8c61f63035a8042a17557b785df2216c231b641ed9185e37
SHA512 00a8e17819620d30d81ce834591dfb1eb48420896232f7049669950105908602bc09d10475028a99540948f6431d37cd7a9149646b557e82f185e9402effd540

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 af9c77bf02a4c4dd77ff93d59fa1fe06
SHA1 18d6cf9d30819afa8b6b44ab527fa9846668a355
SHA256 1f63d4b09450bd1e2d00276e0d57da5b004bd831bab42220c0617bc2ab2ce131
SHA512 da2f102710e5d4c34af8e1b9a3720c0938d8ea849cb53b52d80a5f503d86242103f19125f71c1c7cd215f126eff2daa69ba6101f90d564e326fc5c01d7d5857f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a277ab7c678509a174fd585db2726b0b
SHA1 5e741f629dcc515c8ee73563e53c28ac68c8f4a2
SHA256 1f4a4baed6745f33d662b87871584d6753b9d657e38cc46def2c8c0f97b95e28
SHA512 9036f8f950d7c7978912b06c74cf7ca817f6556b309ba5b62c7c2aeb1b334f123ecc0f4159e40baac2bfffec60725d3983388192258bb1f7462756cebf6762e9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3acdc748a2fbbea317f8b605d5203d13
SHA1 215aae980a1f99e99aedabd19e0560ad4b03483a
SHA256 24c3ca33c4870ab7fefb557e35d6a12527dd70c5a687469c3ecb35a42cb8ba21
SHA512 be108053118e4516a9df41ab26a78a177ff3b13e1a96c1e9312073b6505c23176a89003b37974fe48f8fba9462aedd2fd0f3cdf13d33190408a4f4f290c8573d

memory/4828-1204-0x0000000024080000-0x00000000240E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9e34e2c8dbeadf47604fa9044cfb7b80
SHA1 c4f8427fab6ba895196b5617141bd024dca028ae
SHA256 3afb4205e64c252ca25bd03b57079bf8230b7d779c59744a9d448f162c4d14fa
SHA512 bb5bb945a15e447136738f82bf4f9aca4047328162296fad28300940129083e9b5d0c15a5aaecc65681af9938cb80531c302c00d926089d4aa6a834b4c5a7a79

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6890015e7decd9d9d8037e8f0f1639ce
SHA1 bd52f3a06df9cc8b289abcfb9fda296cf89473ae
SHA256 f0ffaa0098a9ad6404c99f51a0498f535e5ee5c0cd9a8f45d78d8612ba0260db
SHA512 9bec6f5d8a3259b31485620269a11722ab59ad4570026e5d04b5be7261e51de61af1c369a1822539114affadb320987d3c5cb0f387a6118406ee44753a47fb7e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 70f29a46c748c0d336f88cfcb7293f7e
SHA1 eccb79cf5ba62753e031b0f2ee74c1aa9bd216a9
SHA256 ebc3fc8840686d084ba3e5c18d0d13106159a58f6a4e94ba4897cc86756d0db8
SHA512 1b09359b77b5b8039fef5450b7106bd65d3f86f71440c6f49c454aed20ce9a81b6f7114b58f5991589230d8ab3ba38dd79143e4eeed52bba40c56e2675daaba1

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 62a3439eb37bdc4a55a7a064901ec358
SHA1 bcedda9e2a47654e5e6d0e5c803a86b6b18ec130
SHA256 ce6c3094be51cc1b906a34ad8ef682e16c0af75aa03c1336f23f76c732974bc7
SHA512 6c8925e85ec2153ca5a77afdcdc837df64d14957c0bab185dc446bcf036c252af16da47043eaaf1792425228a15ed5d96c59ded2d4f778ba85786985f6fb1e06

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5bc2e2a836590051a6dc52e89a8750f5
SHA1 e119fa7f1146ae4e4d25953a41dbfc89ff2200e4
SHA256 6b7c06d0d949e932d0a592c89b81539bfd8be317d9e7e0583e1ea08f292244db
SHA512 f324b223156e36aa0e066ece4fe76a29b19d08b9e8329aa05ea260dc9193824f33b234ae087adc4a726448fa72a8482244e384f883b590b5bca38b1664722e24

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 838188134a0e0c37f52d69b4afa60fdb
SHA1 16c53ebaa5573bb4f3b731940d970f4e6db01a2c
SHA256 2f9663066b3f3d4a742a1af11bf8fc095489d92e1bc8aad9fd8c16fd85579ac5
SHA512 112e687e14c5287a060ee94376480b687e1354a645b53ea12b910a9729de3345693a3476defd6b6e2526e8d32f7b6a3fb8b8650310f4f62a1402dc35e6cf83fd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 72e64574f54044b705259765bb57332f
SHA1 e2c7e8ca8e7b9ef28acaf50c90001a717a5988bc
SHA256 ca33b03aec0bc9eda25df56ff6ee51572937a7e7a7c1e694afa3d8b4e6fe74a3
SHA512 6584a214bf71a8dca8a8d24f13f3db73e8e8ec140d912a6483442a1fccc033cc311f25d3fb4fb68ae91b924dc1815234f4a3104d2f71a914550903ef7eb6b2a8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 64c3681e5d5db328ac29ff729a8e7994
SHA1 1256e9b3bd5c84e8c57524c60ed82b5bab581213
SHA256 002ffb3ce580c4f48af8a837cecf9dfec3ca49c6bfae77ecaeddfa74bc64c38d
SHA512 87e8f19d180473a5f467c61e656848b8d0e0be1bf84e5e837fef6379c9f563a4d6b3e8c0dd172dd4b303ab446c5729790a15fc40c1671ba1ac9868c1b4955b5f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e222bb7c9ab02d59899a25384376a1c4
SHA1 c32aa0419959f37cf2946dde11c4d6fa7ec01618
SHA256 71b69f5835ce1fe9010b9214d56158df14f9e03a3d4f015c3e9b311368111da4
SHA512 04327ae87923807fefd01a621e729ad5345a34f5e8103ffce4e81d09b53419acba3b03e356bac9dc810e2e8828c8f808c06b397ef8de6a632ae743f7a8d244db

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c495c9e6cc533a2b2afd3b25a996513a
SHA1 1abb36e6ceebbae5cc6f7d9d82c06cc201860b86
SHA256 84dfdd260e7b27fcf9b27975b5955b8218819bfff0a224f6e6195de6bc8fca73
SHA512 120d419761d5adef617ed5237e6cfbcace24cfa813bbe14273a50a9edd1af841f88c59c20add7aaadf4c5d38eb10afe8d84a2d5aee57a9c3243f1cf726a35135

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4d41e298c5022873d3b50843a35243f3
SHA1 6cca0ad794b0690bf8d1d89bee1c3b77ea752503
SHA256 f6e71daca2d363dd6c36d1b6ce263e64149f73a9fa597f72f967c05279c9bb4b
SHA512 74e2f37acf07813bfbb0768169136cc88abea7354e14155c3a36319a470d741deeee882ce797b04844401a8d18a262090781a114abd3449222c4dc06573ec609

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 779bed89c6a1a3f2f2c4f16dc7135804
SHA1 0039b7f9d49994e91cb31561b1a27bf7a789d7a5
SHA256 a276fab6e8a1dce17f92b8ece2e0f6656d6b49861f297229a40e9a041a92e668
SHA512 53d7e5819795f65962139f1ad06ca6ad8475287be72aa59923c09d64d94207d13ab9c7f4bea38e949926076432b55a9921581a526f768bd3276a3c3c9e6a1503

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e3e1c696d774f7c448c8f8643ce0b0cc
SHA1 53c4befc51f51d3e244063335211c3fd64ebb3b2
SHA256 5f1d157cfdb1af909f9a6dcc0f602f1b86b634837616d79fc1a1606515b1a55c
SHA512 71223c8471ce577cf69dab8ca197baf5cb588244516241370fda37afa74f4fb3bdfe6bcaf0d9bf1db1c4e0781263595db11e48ea390f3fb35e96a0569e7fa49e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 45ffb84a703ca4ebe38d88cad6c64971
SHA1 b5900b3cd245bec07fdcfd405d873509cd851a6b
SHA256 a404aac411cd484c1ad6ed45d996d2e70bf8f2ac5b099bfc1a70a44fc475ff38
SHA512 8d27d43155b6ef1ada94615a86819efd73b3f91a7a2df28f55f21e3a1f2e0d637ebd42c63e40c9bc07ad632fe4848d0730927e85368cc8f941c265a17fc87360

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9317d83cfe208a3026f9f263bd9bd7f2
SHA1 d1079e297a76a88799f14d24b36e11a9fe5cab12
SHA256 94c500b2b8d0a8b652e2fb4bac9c14f62425a21cb3f0658c69ae347a15b0f380
SHA512 2a53a3ab96b1490616dd6ececeeaec0f2ae6c0a5722c9fa46f09e5732cf435eb35f1285b069c46def74883e2788dbf78e33cc667c5f23a8fc23c8aaaf8766a9f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7cab0c1d2bb14fb7fa8fd33a8d9731bf
SHA1 cc8d72c9e854984343d3768dcbe49bc0eb256c91
SHA256 15962c436818560e17e2da0148e2797752c9cf04c321bb8e857c36fb23692bd4
SHA512 7fe5b972b96f3e5e6dccb26ac366fa882fc01d3db35648524f8abe84a2b5f60327f0a9d611aa0aef822279ca0be2819d2d0e578e279ac6f69dfee1879b419a7e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1a4977960bffa35c7f9fb0fac70ac29a
SHA1 cf852f51d0a82a56a61972a8e0c25dc0f5017227
SHA256 387b5f6a43bdd0195dfca67e5e3d341a9a6afc32da0a0867011a159c59fe418a
SHA512 73dc110eb9d5d174693dfe5530c67559f171cb333a8cad15dec6a74a09ecaaffcb41355701ff607183152d0e57113e1db9f59d752f82ae2fa3434cb5ce477bd7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 f3e5866536dfb04f75062c8ac606cfcc
SHA1 8b0012959a5a0798dc3355113e9fab00525e062d
SHA256 7b4495f6c1a0b256501a289d42ceacc5556d5521d42cad47f25d32dc7f871172
SHA512 b92548c0118b591db3962063ffb0314c749e92b4fd7d5b1f3808e94fb43d9e47c59cfc2f89010728f6fec2b2f80483745f71ee5fbfa1647e3a7ba123b28a7829

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 834379ff162c72a21b7df9a6d8e9cd54
SHA1 10ad0314a9633a8103d885bd75e51a3b45ff4970
SHA256 27be0e48b24a7de74218b9ba3b45a94d38b41485941ddee6361957bf0ed06f2a
SHA512 575d67e2630294194aa7c77e65c8213982f404d7d62538274d4a6d81204b576d17c85da776a84782e195bfc86889c6296330c645b79829f808ce704ec448212f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c4322b7578b98992dcca7e3ab83cc371
SHA1 9c058e5abca4d6e7d64ed577e98664aba0ef31e9
SHA256 ab4acf21fa60bc4e145a4f8519fe5223cbedaf7f0b683ad012325f4bb3a7ff94
SHA512 d3ce68acd864f24bacdfad66da49d7d23379b7ade3d74d3431df8aa63659be8cb44c3e9b8bc1e174189057d53f835dba4052f7e3fdb80edfdf87339ebc11b8c4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c4c73ff0e72538c323d3467fd780e8cf
SHA1 47379bb0edac830b7411d5d4f3953754981e03d9
SHA256 eb13c4ab84404964a86d288a6cb6ee9041702fd8f460074a3f0d0a521a476074
SHA512 562420ab666ee77324b6d5f334f7c383f7de52243b8fdabed1916f60fb4dde403b25ef7fcf2ab4b32dc59b8dcb0785a80fa1d2a1ee12f873f28d3ec3efa97244

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4e5611f0e0d4c63ae8fd02a97b75010b
SHA1 a071d6ec119b51050d2834c29b855668dd4a1eb5
SHA256 b6786d63d09f57c4005050d10e9175a2b6dd9bdb0f7b4d9efa6932f4f55af2ae
SHA512 707a5b511bc72a72ec056aa662751958b6cf9d303786d37be36f310e58aa05c5af951a05356fca3cfa528e354e1f097e1fcabe660c61af7df6c9ad131d56eb4f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 59ff26de7924312f30917977be33d143
SHA1 5a8c4649c3af90be8f755a96dabb15ab781fd67e
SHA256 d486da8a33a4a5b55a6a9858ab6486acb212863dfbb101786e87f1d56e95ab7e
SHA512 13c98e89be51baa2aef455014061eb0ac7906f567790a713af4754d33213a3babb39d4a13fe0d9773dd1aa5a0554ba62a99945f3d52547083a56929e5cf1938b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 65d4f5fb638c25fdd305d2c3e0ee62b5
SHA1 ebb5e6b1c407de33639a0486a26bd5162cceb845
SHA256 0103bdb3a5673f2c2369824fb954c566652ede434afb339abebbcf3d18ac5dec
SHA512 299f6987c0a45011213df358466606013c2112bcfc6e3e5a43969ae5b56ef546ca2e753e7a08e1472cc1d12f14a944d229d76565a19c0d6dd783247f7b8a6d55

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 2be79d676aef21536eb18f759ca06712
SHA1 6712f403c90fb031cc7757fba1d6c75eea028892
SHA256 b5abca49ec1348d2d12f63182358f12c4155c4106a7044bf20dcd11b6a8d6258
SHA512 31b7835534e0dc16b6bb325068d7fc37b52e8d513fb2fd7d97309b9bbb6d5945559169ca74d59caadd7436d5f8d98d9209e9c80042ea6ca2838aad0bec0efbca

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3ac2b8f24d5a7bf295fec3a290711a55
SHA1 94636006aff90295efe3a6f2555a48e6a4282b03
SHA256 434a2a78ddc68bbe4263e93f2185dcd08d2d518edb75db8ea4bb6c305a284c27
SHA512 9e160081a035daa4b9c081188d3ecafc2f6bd012a71a0f03963f13b8f6f4f1674859130c9e594dcbe91d1056803687239a16951bca891209cc3b312a1fa48135

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6b94c304f3ea2f188f605d19e5ede3d1
SHA1 935f6ac79481c051dbdd7171f7b195a95863c23a
SHA256 870fb6225901350fde78cbea60e3337458b309bb9aec29c1386fc6818b4cb560
SHA512 bb7eb54bcaaac77e6252f25a991ca37027cb7f53c6a5e5efbecebf586088d2e0f7c945cce51b6b70d22d04c02b3f40759ba3a43de6acd0a21c783cc3f9a21032

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c0433b90d0e2180875663c02cb3166cb
SHA1 f5c5085de73c5a0b4da9040baefa94ea1b790e18
SHA256 8174186e04d42844cad3e57a3d6ff2f51f21906d638b73f021cf6d7f2dfc9293
SHA512 ffe3006c19763b0b3d08c85c914ca4d66c24380a198d186aca826bf10bcfcec7f54ff342496e097e07ba086f9b9d47b49c395b25dfbbaa8d491b7bb6c2a8e665

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 64b1432242e2e220f64cb75597d7acfd
SHA1 9c0c051b0f32e7e4bf8178668ee9c43a2ccce20d
SHA256 1f1e9159e0f165b96e2cd410f66b5c4862ccaae75828496bae52a8a43873dc10
SHA512 3695d8e592162f33ec6aff4c6ccb563c3d57a495ab3420b152c61057abc3331a4229a489b956d20bcf25e8fa714f63a0ccad4a6a006ffdf7eaa89047dde1a6ba

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 7b179acd125ebfa96cb2a4fb66c004f7
SHA1 0d219b5e518566a3ea1105c2e8731faca00a249c
SHA256 094d283777b8975b712acc36fb8a72f04b56ce925ef9b0c584dfb22c9ad6ec52
SHA512 a2fd1ddce8448f6c8ea6c3b1e2b0fc1b7208c5a0a12c1dfcd33f84c327d95fa2dacc5bb747fb0a2eb675aa0be58ffe77cf0b358a5731c181e3348b612bff3e98

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a48f2188249e84556f55117314478423
SHA1 402ea31c7b39da47ad30443b7cd9734ac1a27913
SHA256 732a73b822645ae45b14c352080d48695ac4c6f2b09758e41fe09ab0c5ce9ef5
SHA512 7b4287434b24f30408c655fc887a5c76dfc6b3e75267133a8c0964c7b0729f2fdb8300190039e316967adabee1c5a759e7650c4d9744916b994f2a9f4f78f125

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3f64dd16c703307f2987793b4764741c
SHA1 fdc1eb77d942ba8d091fcd58cb233760dc8975f5
SHA256 71267c1d161dae6ae930c7b13c0db5099f8f24470e67c89aa15b79ecc97a3c56
SHA512 b8bc6ccb42c3ef2ab4cb712cc00b59af90ed7795551476a6bcbdd90e1bbae4c248933e22166f2b1f9964085dc8677c43f73d78184449225a000f062c4e321080

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0dc804a920205595dfdaf565bfb97562
SHA1 b0b5d1a5a49d6ccba57a36164ef2ceae5d2da728
SHA256 baab79506e87f8486d3f513e512105c99b472675ed54689a36c92b1431aa121b
SHA512 fa3c887b831849b1dbac659d77e2f7ac46b6052f4178e31f04865c20fcfdfbc055a8742409f42a57961cfb2d7c4c2a2d75e55b2ae9bccfd65d3e4c123f308750

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5c359267be82586183485332f80f5800
SHA1 b194796deda9706727bf12160c4293790a9326c4
SHA256 0e7a197a825b8fde4dfc0307f5093bd4f2442279b5c3472f15653659aabc0fce
SHA512 7b732d7f5d8bf99ebba11aedd7f08059ecd583ff0c797447d5aa08d5a30bab7c1b4d01029321bafb1f6ab49b7ba4dddc40f33394a6d8eb7def5e71eefa606a17

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d8dfaf3df85c6afa70c221415fd7419a
SHA1 ed7740509b90007be5bb3976b23b33a671d14181
SHA256 1534881677532cdbfe29df1f9cc9b720e725fc8edbe4db5fe90c13d6da4384a2
SHA512 cb7863ea326bee18afe77eb1062985c62de73147bfc5d612630d205b75d02b740521c32f5b9a93068d5d529de68dcf4e38f0476e46374cad087b91e582e88b51

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 042030f81e6f2bde38c9c693d6bbc40f
SHA1 b73f74727b704e7fa7e66c0e871cd401f1948181
SHA256 525c399934d04a8de585b6f267ed369887f52c6e9a41ea7efb16fd7925f7c517
SHA512 2aab0bd86156bb835ff7f5ff6eb4ece8877ef56584087271f34fb761324e7a382f8a7dea6fe3f7073d0de2e77b2fe8014b6dc55e1a60701bd646e86fa50493b3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e91ba280643e7e80b4c34b10fbda0d10
SHA1 c0079d8bb5c737214d74a8e863ee774a04215258
SHA256 84fd44df96ec28017741a6f94b40c286acceee1084508195735108d9d043571f
SHA512 79c044e6c53962f2bbdc7d52814480920612c46b511da018fc2847aac90795cb3cb76dc12b2c408ac2f3b24462c59f912c83173b301ed299d059dee399139eaa

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c0e96e74daa789ae59a565f393c7dae7
SHA1 840e07e754f3b4556a23e6115b6f4184fdb58fde
SHA256 5d2b42a31f5b45cfdd0f0071f36369548835c9d3d7469a31b4446cbd7e4cc21b
SHA512 4bf9830a3c4a0b1aeef3d5bbd0c8354d50a124018b256433182d6461b86fc00c3f681dd337bbf0e2f5cf83c297046d7fc39a4b503c78264e2315d49d1512c9a5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 77e0ee64cbf40eb7191705b8b12547b1
SHA1 a796e4ef9fa2a01e458e82683a9346f2b3e72f1c
SHA256 072f2829e8c4db6dcda2d6f068596d8ae38e5a04b361f26f352d3f5a75191d54
SHA512 f811ea6d698439192a504a4b59713112a7d38efd7f108c92fd5c665f905ee6d0bdf9c1eba42526a2a982d50f0f7ccd3c2a3222c13ec1cde3464aa780937faaf5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3116c2322b386d90a5c9568916184cfb
SHA1 42bd4c7fa2ea2b61381b3244a2820f0cedc867cc
SHA256 2f32082a047fe1e5ce237933eda1fdae20ddb700f8474c3cf6362d012f284a74
SHA512 324efde87df944f2a4e26de6d1ed425d815956ff036d19ff7728e370e767c56aedcc24cdf29396b94e8abe096f1e9b0487ae6efc0d8126ed807c6cb1c6726c25

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fd3df9f861cbaeef56530ebe87ba51e9
SHA1 e7130b06edc7fe627db95b0b419d7c9f2fae3aa1
SHA256 63af37b1ad06aac4a9bd9e7578cb2bdb8ddc8ce88c03a362d2db78bd9ffa5815
SHA512 f523a475e4a377a5d6bab43008da47f67d0006ea140d1d284ad13ae619decb0b40d35bbd7d05899cc4b50c297ff34cdca554438dc9185d905fc0eb0bd237aa9c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 996e12de5500b6375856cc8e2a21233c
SHA1 00035f93e28f0d6dddb65ac8e9fedc95bcaa2819
SHA256 6080be2f8c865ad05cc83b66efba55ae1596390e6783a6daf060f15827f7c633
SHA512 24f62a41a13d78d510f4255bb2bac90d183a81aedcb1a4dd312f0598d105a9219c07e02bd3363bab4efad4f692fb509d1bf658252adfdee710d0a2fe4f0ac675

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6974b8086b473b56808b361dc9f40bc8
SHA1 8d344652e6946405bb13a9552fb77ffa24dde9ce
SHA256 08896213063bba326140f09ea45915fa7692fa6a7e7dc30e028d4a2241cfd301
SHA512 fb2f3e9109ddc03231777dae6e0add49f42334799e4f5ae0169b1fc20b7afeb90c31f72aad3e17ebef91c3a53ba116fa1f9376fe15d85bc585fb278e8e1cb3d0

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 c29f3be707bfe563f6a2377385177802
SHA1 6ceac69e8c9b27332f24330189730d2658ecb482
SHA256 e4abf5dc44a4d7b479efa1d9bb19c0b5d5c6d8111ee302a8daea2b2ce5e7a1fa
SHA512 6f4a8a85015fe00390e7fb05fed7cb0597d20507bd11bcc020aeb4d4cdfc321874667740045124e27b80b56dcb2496eeb8b92d6ee4d25e3663e28746423a0894

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1e4c4f58ed9a58d941529256010f1bc9
SHA1 0c8419f55d3f62a7c4e1355c53004c796201554a
SHA256 76618a591d35f3d6102a903ad78f692aeb62bcdd59913f0b6018970da001c9ac
SHA512 3075dcb96e8e5a6df0c2815cc54bea6d8824dee926a7490449f2ca26549f58ae10bcc9975674ad476e492a5092fc67c4a0a02aa6b03b1d44bdc2bac41e702d74

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 1dc86061eb00ad682b3e504170ae0a25
SHA1 79845f89508fe515b70ee066643fe9839a5d7dc4
SHA256 ba190cc44faa65aa30dfc38b1dcc203847689275a54dc2b621ac5a5d0d035ab9
SHA512 2d8a392a793de612e5bf948e4e594205a40d26978e7b3163e64dcaa7246aa14a87ff2391d094a540d7a94b08a3d7ddf28ae54c98ea0f00445ea8511f74dca45c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ed0dd45ca8c224efdcff4e6460a718a4
SHA1 97abcb23204df90f56f8aa81c6b8df1cbd80a41c
SHA256 cb34c39e59375855490dd07a90c3bd3fc428d8962492824a82eace71bdeca05e
SHA512 4bd42aa6a6e9f3d8c27e96949eab9658a7dbfbc5d00635b984a5a9167cb491fab097fc7188643249669f794e3ba5e98826577ed92472b698afa0efe961bab1ff

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 4b9fcaf246a856db33878663fc892075
SHA1 b2792df6ebfc36f0d9583110511a7492706a77a8
SHA256 f70bafedb3a307c6ae6c9a85eea70130e2dd96a85f3e845ee0d6c14e883a5ef6
SHA512 2f75024d96856450ac6d448463379d374feed0cab1c157cbe2e8e7e76c3cb33388939143daa0ad3a4181ec172663379d082fb4e8a3a5ef18521f9ba3d621f668

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 82155925fb9a03ea3b16c00308e1f328
SHA1 79b34a20a2124577852199fd004330c9b9f65c70
SHA256 13de9c8e4235726f1fe6bc973b0a1be5bcf1f2cc2caae502ffe7fbc7a186c1f1
SHA512 0802cfa6c870c07cc673bfc99d938f3ec0ebda9d71e5c678a52c35b761f21b768ae803e4d07ea816be4f24f1e69c9f726015a85361d92e31951f38b574c592fb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 524b3bf311e0e82d7b1f12de3b1728d4
SHA1 6536dca2f944d075749cbcb9480e0bf1a7a5b751
SHA256 0e17b8fdfd9c3d0c64c89d377c6f6c7e67ee307d31c1f1826eef13817a392f10
SHA512 6b6fabbc912cf13c0c50da28a613c6eda46d956689c7a4ca5a574168cfc5f24496e4413722915d4a438036b0adad9d0deb38b1fc44c2461ea69c68e7a9e4a687

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 47bf8efc564881ea6b1abc80ea21afb6
SHA1 9ff95a5d3483f6cc1028b296be6e5c4937dae1bf
SHA256 1e9f3e4a604cea32c7218a994b8c43b31d552113038a5bd7db600159884847b7
SHA512 a6c2790854847b243ceba43a675c554d04c71af0cfc38303f2c56119f85317fa28ac68204aef2475c7681c7dd483128dd25511d3e382d987373be05bc235e63b

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3833e3ffd749fc037abf98c782aabf81
SHA1 2ae2165c240662654a3282a1438706dc138de306
SHA256 ca16e957bd2fa380ddec67e9ca633b24ba5e7c57baa483a7c92d63d95813a1a8
SHA512 94f58a300ccfd8e6c35d9bff1b484c6c63998481588849986d80468c82bedfdada330ad5804743d1d91bc3b6998a2a7d0833f4c8928c50af9cdd0f4a3e1501cd

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 21cc0b280393ef740f6b0ef641810fe0
SHA1 172cfe52ace680492c20c68bd46e3168b4658a36
SHA256 4a496ccf1911b3747a5fa9e8944178cab60e5ab74711997e0c215f2dc4cecf7a
SHA512 affeecf7788129c329d304c35de20795864f496636af45ab205b90b4cee11949c2fdf16db442f426a0b7a86f15f8849a1a698cceb1b7f136037500a264b64ba9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dfcea0f93fbdc6714229b79057864518
SHA1 0f79417437c4d7333627c28aa3d0863e673a0205
SHA256 54a131a0a1179ae117b3f92a19a388a49a931a44321b4b5aee95aa7b6ba96b15
SHA512 a94b52dda035fff41330f80b2e2c4b1ae132a58d25541105d2f90cd128e8f871b86f224cd797686158659da39154fd0bd874277139438e5985cbfd0a84b3b120

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d5f68ddf2e5f27b3b4993881211c9af8
SHA1 c55ba50ed61bd0079e810c67f13921d5eb6fbf80
SHA256 9f18457400053c58bccf0d4254e609f55931434e58e38587a985e2abc43182b0
SHA512 51174bb460f8daacf30ccd864732e72ef791190007c9fbfaa297f0965c34f7a86a08e5846dc7278b2498f171350337ae11a44604cb3259f07417a45a326bc20f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 26c741cc5d754f9e29a935722c996a92
SHA1 2b0db03772112008872a68371df7fc0c1667bac7
SHA256 efa15c4802d7da6e713ddfecb6e4122ced13dd8a730af2403b62aaefef292ff1
SHA512 ba9a410cebb8136a3ea1e77d77594236aa61f1289c156c7245150e1655005a7153a889a585895b0c0e78a7c2688006eb9f55c473d6a0d006db2c1d64f34da840

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 bc51eb9f92b38f89d6d60dcc5b08d9fd
SHA1 bd4c0cc26ea3b0793da6b3e5a0ce45a14cfc41c2
SHA256 6a5a53be2245a1b8d2c61c8fe851f43a1de8324d076da4e51e3c42c022725c4e
SHA512 902e1fb2e5a786bbb2999800af6dde884cc81ebd031e67d26aee640681c4cc0b3323821559e6c4a2f2141ce3987664708cad78da2ce9a29e25cd3d4a578c3fb7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 9ffd305623d6c8df6072da1b38a23da2
SHA1 a2acea08e5dcf96b8a798a2507d9d6946cb1215d
SHA256 09376dbc4fd29e24ac5971ebc2474884f2426b38f40e6a4255f559772ccb9f18
SHA512 2b7d8faf7b3465ee8649970965614db6636f57f3cb9c8f90e052c6d86ebde2c8d72f984cc31fb1633e74f4aee697d563a2810aa8bb3ea64dffa9983794203526

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5b6787db3e32a0d1e4ecaa7b83a83876
SHA1 015927369b3290d5aba8acb2707b0811a5f54064
SHA256 7fa2e433372387f1fc01845ad37472bade5872b3e8663af84fa5db41b538e14a
SHA512 b8e44891d2644fc89e332f74e30f6d20390d4ea5415b835075411d7dfddc3e85853c36452c6e5cd6cd36e0ea989b7ec344f0432acc8e38a36f2818d370806267

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 56b90ae21607bc705ed7e5f34120aae2
SHA1 8b31b7b503770f5886ed22f6f8fc3239d612d207
SHA256 25ab790eb3bc81b4d8012b2da530b4057360e14cf436c95db49d881af201b0b0
SHA512 fa1bd482cdabf244a49881fc8a24ae924db55e13f3bfc82e614dd360e6a41f71c8f8c89f667f4724fb64d20aa5204fb41a935ef5111e2a0d3b3c4ae2e7a0fd51

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 99ab9a0c5cbe677d0b6ecb695abf572a
SHA1 8ef674c457b95e966f5b8c4896a3d5350fc6c311
SHA256 8275abb09f6d08880fa2e3d07c7c92b083d32828cabad6a610264350639f8a7e
SHA512 60951ec0d1ed38b43dc792063eb6e84232e6838c12b170e808893436d560786e3b85b2a5e0af891219b2b228b6400d8e001e59e6eda0b79be049dfb378d08c8c

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ca7aa94da23b4d83195ff791880bc8e6
SHA1 ae7011e4d97be443e811f397d209cbf81a67c0e0
SHA256 0df24f7f034d99dbddb50bf6988a2630a967166a690535cec3e2d4f10893a530
SHA512 74942e99bc6a2ab2a1d25cc886da11a7173ee08265b6de917f71f494e541c2fe71fbcc5c07e1c2fb5801faaa0d788f0035063a85bc74f11a3b9f265ea9352b74

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 8bc85f841c7edd4cb48ea6f4e63d5fb4
SHA1 65eb2741eed9828e9c0e20e0fa56727a79fe566c
SHA256 6577cda47f98584cd11831e68eb28677677fb2bf8c35bf5e6bf5374c957ae785
SHA512 ad82d816290912527cb24255e50d93a0645eb4bd41250bc711a6069b833087f29b588eaccf5aa0c596a9d0bae407e2b517acd610dfcace05ff7a5147123d9fcc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 dbffa058e029796dcc0ead3815ecd1cd
SHA1 9e1b06e8c4cea4241430949a520e1b4aff508f91
SHA256 f26f7e4c231a3089fee4f5a41705474eeb0994bf36296168f05db7709007bfe1
SHA512 1fb448658f9eb0f996f9559ca25c75d76ea42426f43b6df212a7d55fb19e5a1844156b58d91923426753608b39f8cda331ab6834d79db13d0193f60bf2bc564f

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 74c06056a56863b0a5b5432c7cca11a2
SHA1 4af983661822c830dca59c9283438d67522a8d35
SHA256 e8eb1ab77e8872304ddea129fa605bd5ba100ebc9bbe04feba4ade7a4645022b
SHA512 1439035bafa187442f65f3c66fcfedde81247959fa821c4f283fc0c32cde138cf7809054b508041acc6929fe00a1323f28b20b576cc2f8062dbd9bac1572f823

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 d2a63ce0cfc3a07e8a20490843d143b7
SHA1 969a7f0eb3f700ca5e1302a9975d807b92e7cfe4
SHA256 2f2f02c46a83de6c52ddea676e11e841916baa551912cc5bb7c56c40d1a42c84
SHA512 b923af41aecc3075922ad222b027a0f92c36d343848b7206db092212571b3d28e9e8a00d3010aae989ee71851c895b8ccfa3eb75600b8cb441b877cb05ae35b9

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 df1b62f4d5424a99d53f4cb0364b464b
SHA1 4caf515d6568e7aa92a30317803f0cbe9a28690c
SHA256 25654bc192e271bdfbffe8b44d606b05070503d0f05c9ece33f7f21a30f58189
SHA512 b69b00e13ebfef346ea116ab79287cc8390db13a4af6d6c652de197100cb76ac74aa02472f1217962c743620401d92c9b192f3c2764cad426eb63f8d6a2d78d5

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 886d353ef59913a79ae1bf25ae15b6ad
SHA1 7975845d05c9057bb985f49d2253269bac0cbbe1
SHA256 4d93a1c2046aec23079e338a35e70c6a1d6ac0cdde513110658104918a78bc4d
SHA512 c2b406bbfb6213a1d3f8e3fde2a2d6a91500234d9f36bac226efad4fc98782b60be201956cf0fb7a1284914b7ddb626d44152bc22723897cb9d2eecc4a6405c7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 125938be9d0fcb8b904f25e96cf88c5b
SHA1 4f89cd38073e3f84df63b6bdfda548f147885b9b
SHA256 53e0cdce4c5899019eafb59243e149bb4234856cfa5cbba15847d6fed94be2db
SHA512 235aea3b8b16d69cd1a6f415373026848cda2d6b4118bb3be56ebdd8fae9bd03d44071bf847e90a2fe2694ce69bf69ac53f06dfcf79bc004e76f9a8247ebc76e

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 05b63a8613310cad19c4e37c4eeba260
SHA1 1bbea73fcd304133bdb31216feb1dda2ed9db199
SHA256 b31eaf5722fc10c5f6ca1a66f8df72c99dc7b62f570b0a8998364135697730f9
SHA512 447008630d0eb588adf4ae8b1c5d2578919a2eaef9543084917a86907098ec100a04e845a355356e59676533e594ec82abf007cbbbaf44f14a02d1f9b9c28cc7

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 ed79e0eeee34cafe5f2b4ce757aa5a9e
SHA1 32826e2882c084eabb8b277fa7c8d6f6b98f6a29
SHA256 4fd95e76eb0c2f546d80ded186be3a8f78ca3237242a067ceacc8d1697d9e2a5
SHA512 8bce34a5b4b945e727b7c108c9c1031c3908ffc5692217e51f5f60f1964983c5021bfe7251bf8e3a31616222d290174b05c6c5afa1996261293b57e4ad3adbc4

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 62668f4c517c217280ef3827db978e0b
SHA1 101ec2263c36aafaaa355032e25aa1f1533da71c
SHA256 b68893caa1839613d7c2b731f0267b118419bc5386140c5c07ce9f52a0759874
SHA512 f342d0ac535fa3f55cdbfefa11ee215b9ed20decf0fd4e3526b0c5a9ed42f3baf11052ef32c17e4447295fa07738c4df2911a9df4036cf2caa7713867f92c9db

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 3baed6491cc376f4aa2c434e7b8d2bf5
SHA1 cbdc4a13e23234c2a363d5bcd600b0c874351774
SHA256 e1ce3757b00763f4538065099a479cd981f02b7045e749dcad37f746f2004fe1
SHA512 7cdb2ef7afe51cccf282dc27ba4d6347af2e027668fbb0f64167e4035843277e8a7b716adae1c7bb5cdb85f13e030b2d8126aa70068149dc15d905afbac3f8a8

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 457f262e4e063edbf95e1f0108a7a0a4
SHA1 fcc7a11c29d55a00183f1aa943a1a147c3ef93c4
SHA256 77046c8818f39c909e1b4e190d5a81fb1ee84bc3b644b72fd1cbd1ca8671535c
SHA512 ed4214d4cc83ed992debb06449b2c099295cb4eba1f1e66870ca6c9d46ff2f68c3ee483c7847cf3ed0bbb7b19cae46b23e5953e44244caedc79321c186399f75

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 534ccc7da8343e06e47a880972b1b56b
SHA1 14cd746a51cedbefa89eb851613d501ce6b50853
SHA256 727377daa0db9d7883de25b2be321f548959b6384c6198de3bddbbc15cdf56e9
SHA512 a510e459b982e3cfc50c77c4a057688ccffbce34f2ac190ec8acd37c8f5c0c764062c8083d702d58210bd114c568fef3f4001bba827cedfebc7d54cd607e5ccc

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 530468070da7c489ac361360111047c8
SHA1 406ca7ad0c62815de6acfb32299cacb9ae5e1840
SHA256 4b26876b01f0fc5641d4b7742734e39592c59f3c022851733557d0628a844668
SHA512 ac42faed2c55ba0187a04cf606d92254071d9b4b125962666f1d0d8032d8892ebe0471636b15086629eb1af5d8ecf8fe2b245d8a1799f3558ad0ced4141ee2e3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 0f293baf17d25ae4050ec43d7d557409
SHA1 94dca29b8bd17a860cf1b7abc304635b6457cb0d
SHA256 aa57e87172384f88876d934dfea4127abf314cfe05a68ff469c485c260140116
SHA512 6b275d6e40f6bc443a1edc1ef4121026d7b58ba1056b6122b9e1cd5a815352639c2bc9985d70103a44ec62935b2cf0710d69a861a79e3bbaf2317de504624813

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 35a971696555666fc4aaf402e9d98480
SHA1 cb12c0a9741cf7266cf1a90a98d9cdc35319a35e
SHA256 3e18dad08256b3170288d7520007a391a9228e63ec4fb6a576c6df7aad9eceee
SHA512 91e54a6011cd4faf40c1b4b8a05da033bf6a370d952c1e2ccb47aaefcbb0b7b2d62ebf80a17d228edbb9ec85a5723704ac9260270f9065910261d6e7eacedd88

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a1cbd4589010ad7d8bf3d8b375e8fcb2
SHA1 aed7c3b4295da44d8bfbc027823abc2fd481cd96
SHA256 d1f9552eaac6898c1cfff887dfd5d932115b74c64e05b289ff64226a165514bd
SHA512 b76d05fa272cca69833cf8be8d61eebd3f2c52bcf2ae93309aaec91559777e6433b5b23a99228e00d6e85656dd0d833f01dc62198cffc6ffcec88f864aa1dd5d

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 22006288a901aff22f437c25bfeea7ed
SHA1 47434cbce8b4faa6e05877b9b7530e6022fce30b
SHA256 4e7a62e539f42a6aecda31f901b8a0f5fd44acbe414d116507d90df9411763cf
SHA512 4158ccd334f583d47c901e019a0f281f73a6fe4d7ad6570bf93ef12d613ee161e4af2b92a39ac5b902569ada45390fb00029dbedd6167fad1723e7af035be9ce

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 b2bbf109ad219dbea03f1aa58346f3e7
SHA1 b4d36fba2daa3b58790fece009d3a42c14f29660
SHA256 028783925740001f4c754f237fa14035897c31f04990d9046f9511b286117b53
SHA512 c5c87a4a9334be741e0e5ee1501d788fba4a6ad313ccc4649f96b095fe17bdad6cfd6f7c00310ca357b19fe8e4993fe796560b752b15fa4ac4018dee60ff5395

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 a3b361cc2a1bd969159f3bf9d35986ed
SHA1 ea5c16a2d9dd28de10d54596ce7bd8f646875969
SHA256 7660ad275b3b7c7bbbe387640dbb6e10724557646c47468c9e98febd8ccf998a
SHA512 1f347f6f90438ac551fbbbb8cfa2d91a2bbe1bd566e2449838348beb46de0b7b9a91f528cdd320ad4a99b11fc09d8360b4c5c91413ab0c3479c8ff34bd868517

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 525ce6c33f2a9756ced6db325c29a84d
SHA1 faa8dd04c14cf7e58873daf5e71ae0e649bc044f
SHA256 fb8ce0c6b552e57537eb888df401e3093451a98d44615e610c9993a78f1e8e2b
SHA512 7e73f726e3717440c8d13d7eed24c2620d09311f9cd7e78a91647a2f80252ee16499ab41e7fda689f4d709527f841e58c75ae29cbeb37f0cde79742211cf3c67

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 74d0bdebc4e82024362b58b7d785f0d5
SHA1 db21d10a9089145f08283269c54aff9ced2ac458
SHA256 4fa286204e2f6c228faeebcf338ba6d7432fea14524764668c3e3d208b696794
SHA512 8ccb7b1203c5d30326db45f4e8ac7026c3e465bc78f9ffc9e1fe9d9c7eb3e92d07aae4c54faa5c7ada3b37be5395f1260bf815135d7a7310e4eeb783258e2ab3

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 e4916b7fc7e6f1230000203b38f32481
SHA1 62be2cb6df8fb43e05ef1f18ec23de6f37617e44
SHA256 14560dab1f4e471f7de76d589bf164154d206d92a52036ed2a059c31fc878720
SHA512 be5175cb9a6c6b02d52a13e7172ef42e6014f69093d0a52aa7a974a3498efd54de0b6cbf6a7a73c95e87b94a684eff777931f82e3c4a71eb955b1d42c2a27795

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 6c2b376709193c25e5f86f802c4877de
SHA1 d46bd5c896d3bc5fd3c90af3ad6aa5510438969e
SHA256 f315790c5486822b643527cc65ac62efb74a985c339d33cf2e223fccc7591070
SHA512 892f5b364516a917c1c1423416383389384272dc2f551396ab7f37a5e49f8b4d3137af43a8e26721361c72c9f0c64b1882845d90ab87763d472e0711ceb5357a

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 5a41bc1dafb6df3296a703a0026e5cea
SHA1 025b1d6d063489d62b213a522f27a08a7b46daaa
SHA256 30753562808611c1b1c481fb1c48190fc577b0d6143fac4c484196dd031a128a
SHA512 55d5ba56668230c0ea5b0ac0d0e1a4d8c64cdcf4f8492049744894772f747fca4a4d64f7c87bad54a727d663b1bb8ead6b649768e38186e15eba0c71331d8d32

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 53a3336b3ad8654ffebab48fd45cbbc0
SHA1 dea772727435bb0b78c8807f8a356a2ef4b8b377
SHA256 db931611ce5d1dc17300345047ff799068159f7db8b9a0927906e347cda2cbf3
SHA512 5cac97cbd297dac35c9013e4707d545f25d38931dc5845bc5ca4946ae56eacdd5366e0ac80a6ed2c3be67c25b21070789cb147d0ab20b623949838ea44acdffb

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 fc8515d46cedffddf3748a2fd7fe4300
SHA1 ecc4f374b41d189941bf49ff04f9ee5b04280b19
SHA256 166d32b0c6597b2c72bd77b4020f5ecf11e3c3da63827792f7d3510f4081a087
SHA512 b0bc45cd1a5008c5016a674a0a0225f0b00b5aa2e90d4d61d31f58eab0a9aa0b367eeef73d01162196d52865778a7c4c93a5af7eb8f3e71266e5986c4a36e170

C:\Users\Admin\AppData\Local\Temp\XxX.xXx

MD5 218855470169c7022dedc3d52dab3356
SHA1 c7c433c5a786d1b76582ca1469dde7c833981cca
SHA256 f3238e3084776f95e8596df1acd1a350de76e85fa1d2ae8ca27b1991458a6eaa
SHA512 06f6d9c2db7c57e3f6aefcb50339e64bc47f11539f7ac54af4c8a2876ddec3fb65f489b24433b22a9486d0612998e90b6225ff48dc7efde7f86e1a501d2493d2

files/0x028200000002342f-8579.dat

MD5 e23152ef303d476a6774ad0f24241766
SHA1 20c89c264dfc2cb03756242674b14bd96e741f35
SHA256 0a6be49e587dba777c88eb1536d685295ce8543809757c6d034ee133a2e0cb98
SHA512 fc86841c83c853bf9b6f6dce65247450991639c0a98675a2847cbe5e43ab797e9db944b5949c76811b20c0a8fc88bf6a5dabf831b501b9ac7451b1716c87cf5c

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 10:07

Reported

2024-08-27 10:10

Platform

win7-20240729-en

Max time kernel

140s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c4c921fa95f73a8404d58d4dfac91271_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 36

Network

N/A

Files

memory/2296-0-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/2296-1-0x0000000000400000-0x00000000004DE000-memory.dmp