cybergate | 26c0ed3277683d94f9fea0b579ee8d13da7a5b904278a2acb452c4aa505b8d69

Analysis

max time kernel
20s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Size

483KB
MD5

12d616d93ea21ec2962f5d97485e987b
SHA1

1b60be15ba28018945b498a259953c0034af94b9
SHA256

26c0ed3277683d94f9fea0b579ee8d13da7a5b904278a2acb452c4aa505b8d69
SHA512

f96dfac790793b924751889c59c41cf5b323b7d8b31928a2744d065b4a3c70fcf4b30b46d3a73ef22e02294c585262a0250046ea1350414d3fb458c4c383ae72
SSDEEP

12288:NkwtMquzFKIUVz8u3Q0KiMuxbjTShrHwFClMx578eQnA:Nki1Ew5Vz8u3njfbsoCyP78e0A

Score

10^/10

cybergate ramnit bilgisayar banker defense_evasion discovery persistence spyware stealer trojan upx worm

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

BILGISAYAR

coded34.no-ip.org:81

coded54.no-ip.org:81

coded54.no-ip.org:80

coded34.no-ip.org:80

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Driver
install_file
ctfmon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
789456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UAC bypass 3 TTPs 3 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctfmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	IEXPLORE.EXE

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ctfmon = "C:\\Windows\\system32\\Driver\\ctfmon.exe"	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Ctfmon = "C:\\Windows\\system32\\Driver\\ctfmon.exe"	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IIPYIVMX-238F-O4B3-8V66-MQA3MV85A18C}	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IIPYIVMX-238F-O4B3-8V66-MQA3MV85A18C}\StubPath = "C:\\Windows\\system32\\Driver\\ctfmon.exe Restart"	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe

Executes dropped EXE 10 IoCs

pid	Process
4072	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
3680	DesktopLayer.exe
3008	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
4404	DesktopLayer.exe
3284	ctfmon.exe
8	ctfmonSrv.exe
1060	DesktopLayer.exe
5116	ctfmon.exe
4284	ctfmonSrv.exe
4684	DesktopLayer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Driver\\ctfmon.exe"	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Driver\\ctfmon.exe"	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctfmon.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Driver\ctfmon.exe	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
File opened for modification	C:\Windows\SysWOW64\Driver\ctfmon.exe	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
File created	C:\Windows\SysWOW64\Driver\ctfmonSrv.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\Driver\ctfmon.exe	ctfmon.exe
File opened for modification	C:\Windows\SysWOW64\Driver\ctfmonSrv.exe	ctfmon.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 3284 set thread context of 5116	3284	ctfmon.exe	96

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b88-4.dat	upx
behavioral2/memory/3680-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3680-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3680-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4072-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4072-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3308-21-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3308-24-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3308-26-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3308-32-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3308-29-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3308-27-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/3308-38-0x00000000022A0000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/3308-28-0x00000000022A0000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/3308-36-0x00000000022A0000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/3308-60-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3308-57-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3308-137-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/8-175-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/5116-207-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8983.tmp	ctfmonSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ctfmonSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8AAC.tmp	ctfmonSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ctfmonSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px800D.tmp	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px81C3.tmp	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmonSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmonSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E62BB553-D92E-11EF-B9B6-CAFD856C81B1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3680	DesktopLayer.exe
3680	DesktopLayer.exe
3680	DesktopLayer.exe
3680	DesktopLayer.exe
3680	DesktopLayer.exe
3680	DesktopLayer.exe
3680	DesktopLayer.exe
3680	DesktopLayer.exe
3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
4404	DesktopLayer.exe
4404	DesktopLayer.exe
4404	DesktopLayer.exe
4404	DesktopLayer.exe
4404	DesktopLayer.exe
4404	DesktopLayer.exe
4404	DesktopLayer.exe
4404	DesktopLayer.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe
5116	ctfmon.exe
5116	ctfmon.exe
4684	DesktopLayer.exe
4684	DesktopLayer.exe
4684	DesktopLayer.exe
4684	DesktopLayer.exe
4684	DesktopLayer.exe
4684	DesktopLayer.exe
4684	DesktopLayer.exe
4684	DesktopLayer.exe
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3320	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Token: SeDebugPrivilege	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2600	iexplore.exe
2600	iexplore.exe
2600	iexplore.exe
2600	iexplore.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
2600	iexplore.exe
2600	iexplore.exe
2600	iexplore.exe
2600	iexplore.exe
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
3320	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
3284	ctfmon.exe
3284	ctfmon.exe
2600	iexplore.exe
2600	iexplore.exe
2600	iexplore.exe
2600	iexplore.exe
3536	IEXPLORE.EXE
3536	IEXPLORE.EXE
4312	IEXPLORE.EXE
4312	IEXPLORE.EXE
4312	IEXPLORE.EXE
4312	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4072	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	83
PID 4736 wrote to memory of 4072	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	83
PID 4736 wrote to memory of 4072	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	83
PID 4072 wrote to memory of 3680	4072	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	84
PID 4072 wrote to memory of 3680	4072	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	84
PID 4072 wrote to memory of 3680	4072	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	84
PID 3680 wrote to memory of 2600	3680	DesktopLayer.exe	85
PID 3680 wrote to memory of 2600	3680	DesktopLayer.exe	85
PID 4736 wrote to memory of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 4736 wrote to memory of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 4736 wrote to memory of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 4736 wrote to memory of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 4736 wrote to memory of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 4736 wrote to memory of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 4736 wrote to memory of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 4736 wrote to memory of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 4736 wrote to memory of 3308	4736	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	86
PID 2600 wrote to memory of 1872	2600	iexplore.exe	87
PID 2600 wrote to memory of 1872	2600	iexplore.exe	87
PID 2600 wrote to memory of 1872	2600	iexplore.exe	87
PID 3308 wrote to memory of 3008	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	88
PID 3308 wrote to memory of 3008	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	88
PID 3308 wrote to memory of 3008	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	88
PID 3008 wrote to memory of 4404	3008	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	89
PID 3008 wrote to memory of 4404	3008	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	89
PID 3008 wrote to memory of 4404	3008	JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe	89
PID 4404 wrote to memory of 4728	4404	DesktopLayer.exe	90
PID 4404 wrote to memory of 4728	4404	DesktopLayer.exe	90
PID 3308 wrote to memory of 788	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	8
PID 3308 wrote to memory of 792	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	9
PID 3308 wrote to memory of 376	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	13
PID 3308 wrote to memory of 2972	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	50
PID 3308 wrote to memory of 2996	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	51
PID 3308 wrote to memory of 2096	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	53
PID 3308 wrote to memory of 3428	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	56
PID 3308 wrote to memory of 3572	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	57
PID 3308 wrote to memory of 3736	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	58
PID 3308 wrote to memory of 3832	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	59
PID 3308 wrote to memory of 3896	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	60
PID 3308 wrote to memory of 3988	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	61
PID 3308 wrote to memory of 3552	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	62
PID 3308 wrote to memory of 4984	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	74
PID 3308 wrote to memory of 2176	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	76
PID 3308 wrote to memory of 556	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	81
PID 3308 wrote to memory of 2600	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	85
PID 3308 wrote to memory of 1872	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	87
PID 3308 wrote to memory of 1872	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	87
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91
PID 3308 wrote to memory of 2208	3308	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe	91

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctfmon.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2996

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:17410 /prefetch:2
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:2152
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:82950 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3536
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:17414 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4312
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
    3⤵
    - UAC bypass
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        
        PID:4728
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987b.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3320
    - - C:\Windows\SysWOW64\Driver\ctfmon.exe
        
        "C:\Windows\system32\Driver\ctfmon.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3284
      - C:\Windows\SysWOW64\Driver\ctfmonSrv.exe
        
        C:\Windows\SysWOW64\Driver\ctfmonSrv.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        Modifies Internet Explorer settings
        
        PID:2884
      - C:\Windows\SysWOW64\Driver\ctfmon.exe
        
        C:\Windows\SysWOW64\Driver\ctfmon.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        System policy modification
        
        PID:5116
        
        C:\Windows\SysWOW64\Driver\ctfmonSrv.exe
        
        C:\Windows\SysWOW64\Driver\ctfmonSrv.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        Modifies Internet Explorer settings
        
        PID:3508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3552

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2176

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

files/0x000c00000001e4d2-7534.dat

Filesize
8B

MD5
c886cb70719904606fb8f868a73730d5

SHA1
f1544198962a0ce6e9bcd0de781687f639951772

SHA256
dc21b137fdd6d3a968861621d24d117085a96c637d4abb27b7e07f93bdefa5d4

SHA512
f5f6e2b278987f3d7d07838410461ec29c2105f420a764e8ff6528e242689898c1ee83d51267a35959d4fe404bd87e2629a979a08d03e126844f4009417acc4f

Download Submit
files/0x001f00000001e29c-6806.dat

Filesize
8B

MD5
0fb960c5977dd5f211c5fd5ef1b1f003

SHA1
7abcee59a76886d45c71dcd6aa05e210660a0f1b

SHA256
3da574ec10deb2a5c2f318ca7771c29fa195e2a7e6c5df9b3480e4394eac5fe7

SHA512
ac5001fd8812a7b938db631330524b2123fd0d7267ade3a03ad5587a48e383708164f8eb1e3dd0714a124d7e352a88d13d4bba699b90ed46267e7faffda0a6b1

Download Submit
files/0x002100000001e595-6470.dat

Filesize
8B

MD5
0025fc7facf7b764fd30d3d724b0f44d

SHA1
f157cca211d1ea96d022cbd4bc5fded68c81aa7f

SHA256
0814c9ab1f36b3b5358c6aa3e107612e792b7ec90749eb089dd3a4547cf83316

SHA512
524ca2af09d0512b0b2321f892e848c80dce92f6e24301ecea99e99a9c0a8fd909421a2ac38955a9a0590a9a1f13d9ccc77892a9b01d36fd23725c1a3eafebd1

Download Submit
files/0x004e00000001e29c-7016.dat

Filesize
8B

MD5
d8591bac2b51f5c53928a1dd5b7e1628

SHA1
10a062b086f96f78640cdb116991681af34f8c16

SHA256
edd006819cf2bc0b2f4a963000c0ed3ebeb632c8e974b136553a041484972767

SHA512
ba32107ef9e8bfbc96dd24ab5bf9e918b0d09107aab0a6927b926210c368cc26d1b83b4589604cedc3247600aa5a71748db0f81c7d49cf8a97450b598da2a25c

Download Submit
files/0x005800000001e29c-7203.dat

Filesize
8B

MD5
b4a985fa4935aa35473ffb0a21ac4f58

SHA1
4dd46cf1fd0e20fe271dc357eabe4da7d5ac2d99

SHA256
39b09de1064e14d730545ad9db5ccdabed739807c230a0ceb7c761330424020a

SHA512
3e07d167ded337d691ad4c9d3a37b88a3ad45911742408a72f700245d8521041c63f9266bb07e40816fb8f9a7e10999cec50800877b388526729d8a0b14457ba

Download Submit
files/0x005b00000001e29c-7221.dat

Filesize
8B

MD5
4cf27afd5f9b1202a81cdd702801f101

SHA1
f11b49f7ee8d5fd705b0b12d4d0182ba209979ff

SHA256
4d95d80cd1d518062be578c9ad10302b7e44dfb63082dea676965c07a118ee99

SHA512
2bed9cc0de3c76bedc4849a34751caa41a2626ad640155408492e8348da4f9dd69de902b46bbc4b3b79e7fc2be1061cc2426b2ebd5158ac24cf4023e9a4e16f3

Download Submit
files/0x008200000000070b-7154.dat

Filesize
8B

MD5
0f261c5c0c7aff62db7f0c66ce732b72

SHA1
ca9fbb0e23c2335d5bec18424c1788491b33d259

SHA256
1eab4deb0889afe273193dc924b351c64c7a578ac007d39994f6dda70c09c94d

SHA512
1f2c5fea5dc5a8984d1e48bbaadbf9abf43d2129c623137a4e7841aa1de126fb6bde4c69b73f2899f2f8f2b10390f8010c0406e411ad5c6d7e2fd186ac336831

Download Submit
files/0x008500000001e29c-7457.dat

Filesize
8B

MD5
881fd93aedb1d4b149e12943ee81dcc1

SHA1
e3517e788b6278de73b4893ddbf2c88fd123b2cb

SHA256
ecedbd239300b4c7d7c032871350fdfbeeba55c588c7ad124e1168cf16ce0a6d

SHA512
2fb862fdbeb51def50f7b9d5a01d63377db9f21124c14eff823ff4859654e1c0fe3f9f5ac1de6a1cf4248e4f79853d3b5d1587fb5a094e0cb43bf2e73ceda7bb

Download Submit
files/0x009400000000070b-7193.dat

Filesize
8B

MD5
a58a3654b24e9b9fb0e51af3edf85e79

SHA1
9a9894193a54d6d5e350bd14424f4e882c3fd861

SHA256
a55210cc25fa1b29400702d932277de66aa5c27c1016867d2b09f567587ca770

SHA512
48bb4c0989c253e6b522eb8dca9f25d161afb956bd2c9a0864c59c858251195e07f7d73bda66954ab8fff5a1f769e6e1f303bb5dc0d38543fa24c572adca7f60

Download Submit
files/0x00cc00000001d9ef-6848.dat

Filesize
8B

MD5
9d0ef31c1477aa1e60350dbf8ddc69b2

SHA1
e9d8a0570c9be9a254827b7c9ea2119c4c3c81dc

SHA256
40faf2674e4dd1a4b1e74128efa5fe164c0cb550179c5539dfecfc29ee70dd3a

SHA512
e921404f9e1390b8283f2c85d61aa06268d3a070a3132cf9ef57f41ed9df34450ac4e2aace6b7bcb1812b10681226a5fc56a56f873196404725ad6d950975da6

Download Submit
files/0x00d700000000070b-7296.dat

Filesize
8B

MD5
872f0e95fd0949e913c3f2245b36cc2f

SHA1
9fccfb8bbefb890b9b3acd58f22fa3a7bf4ed1dd

SHA256
5199837a72ce8aac9e982527b0a8aa1c0c3be105cbd423339227fb1a41c350b3

SHA512
fc3ee2490cb10fab96fdb2f73f0a8bfb3918a96357201afae77c4934f389f8afc4366f8697895cd175a943066e2ba9e0ec2c0438bb1410ada9a6e012e96a6176

Download Submit
files/0x00f600000000070b-7398.dat

Filesize
8B

MD5
b768ea7fce4e4d0c82cc1d069126cc8f

SHA1
f16d3bc3c313932c9b5d0ef7acb89beb3a3a473f

SHA256
9638ca4267911cb3bd11cc6eda24b14d538fbb42aac51f7f36c9d04d589e92cb

SHA512
6266c629012ffe4d13743c2721ab6f6f7a11b511a691c929f26d4dcfc3b68d61059b55c6643b49ab142c1894d892d04a9addff84c695117dd1eea7cf6c187aad

Download Submit
files/0x010a00000001d9ef-6872.dat

Filesize
8B

MD5
eb6851d3538a0f8b8fdff43feaeb2ca2

SHA1
0d2550a78641c0d331d1a489d37a47280d5fabb3

SHA256
cd1b2506ff9336dd8783d70f2d3facab5250745a7e067b245a464ebba059384c

SHA512
3f85c30bec73c243ed816269475efc39864c1d1f94273bb30f8e0841ead0aad620e329ac5d4755ecef3761904fad7aab2e761fe66c0c53e05f0d3cc498f37731

Download Submit
files/0x012c00000001d9ef-6907.dat

Filesize
8B

MD5
f602c451382106023894fc88c6049cfd

SHA1
ec4f716d0fa861115dc2022b3460ae72d906843a

SHA256
6ced6b23f60938e007a1381b5043db252f767b1fb074c596061ef587f82991e4

SHA512
6d46c6e95a840a8a75c8c808a9bffe66613496807dd98fd34183f13bb3c4f60d9c7d1d02b47c19b9b50270771027e212e2e31466f36f581e26fb88db054cc62d

Download Submit
files/0x017700000000070b-7483.dat

Filesize
8B

MD5
5536f9bee5fad8fa78d882f95c632d86

SHA1
b1cc148625abc71caff853f33ccb8e2500641564

SHA256
1950c2aaf8b0e62dce90b24a99631cb585a2f348f62a719fae553e06a981bbc0

SHA512
3daa75431d0a4d9a1c00bc7682660074fd5afcf4cb64a3e95316cfd81e98fc91bdc39afd9fa1cbcca5ad1682ac30b636a2370509ba2ee8faed4cbbfeb24eab2b

Download Submit
files/0x01af00000001d9ef-6984.dat

Filesize
8B

MD5
c14130aa9ffda2eea340011f979b1339

SHA1
faf610ec0a666e0f5c2156c6d6e7c16d987443cf

SHA256
e51a85f7165e4e7bb230ac111bb0db98d8fb54b5b30cff95dfeb936781d59faf

SHA512
0f4d82be1fc388b1e8d86329d83d9651f6160c03f7d0323930cab29dc8a3350d3fc838113b6cbe609c8c3a23bad0932001a515d9ac50520db0a5f53b6e9f1079

Download Submit
files/0x01c300000001d9ef-6992.dat

Filesize
8B

MD5
a3e075ba67ce143cf9ca21224724325c

SHA1
8a4cfe5c7a380c295bc25899a32515ddd26ab16b

SHA256
c37d603e812cbe6ea8aa20eb4cfd6e72f60909e2e33c6e2ece4e6954162d28dd

SHA512
f7448c528e8f67783f1d9e602fa75e1c276e4768958f2c7c33ca0011e8725ea9beeebfd5f22becfae056cf76e2dd8a33a67809bf52298e0c28057626a2305469

Download Submit
files/0x01e500000001d9ef-7037.dat

Filesize
8B

MD5
3c5db6391d23237ce6efebdc83fce301

SHA1
0bb62777fa5a5fae889e5961d73fa8d14c2f7c19

SHA256
0f692bf28eefd0ec302b49e75e158e6f879173261850be028d36d174066948a8

SHA512
240fc9f1ad889041f344037dca156f9d803de8b1a44fea0f691dfa6361eb9672f816205a4066cc5adb2807d35ba3f2ed5b253f2362f4b20bec2d32e8456b186c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2c48c73220d62a8faffe599e95896274

SHA1
452cd4222360fe7e881055d815ec65a2bbac564b

SHA256
35a3978f9dea3056b0c4a0a1945d785bb7a0022484782f414fa9ffa04f3d5967

SHA512
6547f2798297acc7ac11506328ef05f29074655f3e5a60adb188106c769806a2b1a8a15c7bd38c39da560df7df953798561398245667095536fc5748692cc9d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
68d120088a03980901abc019da8601d2

SHA1
3b7f20e6868344efce212e9e491b03e2bbfac4e2

SHA256
87c3e411d6b6e68570259c6eda1451fd1890b5b405b94c702421b85924aded88

SHA512
6d3b7cb8fae035eca27f9b43e9553594f45d8cb8b90b81f20994c05bbd7286fe8c65d39ba23c320a64b7dd70b299271e93cde143f6d7f98377e3ed347a028fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12d616d93ea21ec2962f5d97485e987bSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
caf5d1fd370b38667b345b9895074ddb

SHA1
fa8d7ac08f5a032879c643e877b1782b60fc05b7

SHA256
3381ad35ecb3b2e6470586e743df957aa19c8efd10edbac0f096f71a5be7b831

SHA512
dac837b4d2827f536701a5bad67a1a6ff3b3419d9dd2205886fa9dd04cfa7e6429a0d6b0dbb10b99a91ec061de533b4252959c7e7a4f66cfa35caf7c3433403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
d463aaf352519b6ef714368ae7cc9a81

SHA1
740f4b652fac511e094fafc05f185882a9f99d9a

SHA256
e9a59c24150d2f711668a299175f3ca78b38487e10827320e35309fe4beae028

SHA512
5bd714f51f2119ddf275f932e4f059ce0c997a77a1126d44d01aaad62f5be90647f6c3a7980f6752875818b3bc917359226383a997fba46b91e857971cd60df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b6f18a88c0163da1a3d824b2bc6f403f

SHA1
f2a5187f40338601eadb9164265bbc3cff014ef6

SHA256
ada8e1e6f4188d12c8dd8f432117008c8703ef4b0563d1ef7a20c5eba7787cd6

SHA512
518616d424247323979d1bd2fab042ba4822c666393a6de7cbf72f9e5c8b820867e1876dcd30cab586facec3ae1bf1a43be817569110b658430eb29c0b7c3138

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7e3c640bb58760ea2d66e93991ca81aa

SHA1
22ff8995cd5dfad2890e73095bdc854d13826496

SHA256
3cb4fb0ba4a91b413578d1ce4a50db52570670f652c520b0ddcd9f4a698c9446

SHA512
ef92d6e2a7220f2514e2709ebb0e080fa56bc9e53abe5e6b5b6d3d75043cfdc88b5643f4bcd7b4252cefe540ad1452327e1a1614cfb7205e6f793d474541ca4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
feeb41d52c538669e6b48a7d00023016

SHA1
31dabce3650b22561df318a9b46fd1e9db83f4b8

SHA256
4a98377e88f78cb1179fe6986b704c43e8d34c6f48e412136707c3f508aefe00

SHA512
c4bdfd095e1b9409649e14ed3c6cdbf10bb2e488c7ee07a60da03442e9c1216aead4cf35be43f3cd46d812a0f5eaddc7f29b358892369ba586b0c4dbeccd0f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
62b4ab69f06001ae1df6b0f05ee14bbf

SHA1
fa84bf141305216b93db4010384c9533fcb46a91

SHA256
2b585930b3bd9ba6deda94c37783ce05ad6fb16c1b73245bf3e2c5f86e370752

SHA512
62c3247b15c1901bff1af56f7d110db78270ea9c4a4b6e81ce4d33e1d493357243ce40e11dfd7971473858e91b42ab084c02d5bbea2d965dc5c77daab9141e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
86886e010dc90d56ff8d658159634e8e

SHA1
adef42aa8c564786292ff480568007b03e74eb68

SHA256
f16da9eb72b5bda00c44a95dc472d9d8e07d61f765dbd86dc3405ebfc6a21fdd

SHA512
c07c5f1cd04d1daa0e9c573308ea3c646fe75e358f4fee21257550774128b44144dd3419e6ba30aa11a9bb2fbaf96bd36bfe8be348e4b122214e235645b24096

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5ec78326f0f58a9b831c0ae15627c193

SHA1
35f2a734f62afb345242dd063e31b073fb3ae48c

SHA256
aa2bd519a0a9f42abd0015e8d629d865b76c99c688fedc6025f060bb539f0d59

SHA512
39006f4f198f753b2e8a4f7b5ce22fa121d059c76b8eb5c84d9357dcf9b6fc84467250f4dee713cbc9999456150155e9d3569de5e766c07581747e513724de29

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3c7a318e51373175c51618efa48a417f

SHA1
51f629e621ae9b14043355eccbec373732f551f7

SHA256
09042aeb4f2d715325590a4e7bd1dba5d1db3a5ccbbe3ad27996270e36b5c612

SHA512
e33f61757abfe70732f77a3fa6da8a688f757400e99ab93e196ae0c9df89a335794a932cbfcd3986ba3b4314971818718ec9a35d5648fa7584129e288877115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08cd145ae54860849014aed6b3a88dbb

SHA1
e3de99fd7a10830db5bb96d2ab82631768598ac5

SHA256
6ce8be085a51c5f3d05ba69244e4b650a3b5dbc85882f6e8828587930845e426

SHA512
6aa208412d5ae927147dcc24dca0331dbce9d85dae162ce39470d0a600619c1caf190819aea5f3f7db6995228388c0bd46dd4a067f946b5ae9e72f73959a5a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a5e0697e71e3ed78e317377a4e77673

SHA1
139c3e1ec3cfc86e5df871a817a8e4db5b63b668

SHA256
154bf77d77e67c2be5f107c6584ed34819a3a998376c61d8d0899ec601fc5aeb

SHA512
15ad427567f3070b53247e3d93b5b20ffb6686160da77044dc8279275b80d1783b4abaaa16145a5cdef2486645c4e7e4a0a628f391e27180398c719a543de6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c7643da1a7ae294643044009f07aa879

SHA1
7386d29f90d0789afc0a9805b06d11ff4e2b957f

SHA256
aaca026589dc25840bb7850b8219529721f8ed4d8fa3775957d27891e7dc2db5

SHA512
ef31c3b737fbbc4c493ae15dae8acac3b3a1246012a92dcb58a62aeec5bceeecf4b9eb99f9bd6409859e2ea78908abb79714211048b66b790e1a53e5212e2a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3e2306e449646bc669ca525b6a7a8cbb

SHA1
14ac35e134f53364121ee3dd9f89e2c9b6d0d23e

SHA256
95abccb3c6c92aab29e9f4302682e2304e0283f86d46fa97782e36a222788b83

SHA512
c0cd4220ab260eec65accc68c272c08835cc255c80acbf2005e74286bd4a94717196d097f5dd030f906a186d33bb43fa577bf996a87d81b3c3ec8f0a8abec2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f4ab812d6750a59ac595596e3b7d0047

SHA1
588b0d570127615175cc497d7ec5409f904bbad8

SHA256
68fb26a86617810943a9b3327955b24ddef3bb0bdce173d522829d33507c284f

SHA512
0954dcff113697a7cf7bf9ca6ef7f8641c6a859bed004272f30b1e7c9e22e3024b863bb944af11bde3ef18719d805f90dcd8774add34168a24f28f9e25393f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2ad877af741dc852cb9729d1caa8d370

SHA1
e48d37c3eb83b4a5c1bd091a5cf5452e2f4b6e0e

SHA256
8ebc9e84575f5b2e229a870b089fade3e72d312bfa5327a5754dee07e82a7c11

SHA512
7c1b61154dafbb4317af62d1f33665ea706bbb989ac8a8a773d09af820a2ed05b0caa8d933df33989406a26d96b04f67065db86476d286863f18f0b982fca99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4521e4d1fc325fcf19a2529bd4ac0657

SHA1
95d4845e872abe6368f5abd527340edac384b8b5

SHA256
53d3bc56842ee3f666f5a15acf38b026447f88e25ce48ebf8b165d9ac2f8692b

SHA512
078b72a94944a644fc1cd0c34aa4749c6dfa91d085c3ac1d59842c26889de3e8f969a776eedd37a6ef7dc264e23744ce9b418fd150fe3c35a1ffbab66c3b07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eb9029c515e7d840fea88e0036cff838

SHA1
1f8f862072808d6154f86f1307f002e4d8b56b97

SHA256
d0f55477770c390cd18bc3138a5dbaff970defc1a92f36cbea0871b409c50b07

SHA512
8666bf46681dbda4b77bfdd3b9858292c9a3cb475c6238ec5d897a09f01620e27c207d30bcbe4c8518cb6d57398daf0ae025b64b4bd2d3eec949b4bf5439fcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9c0f994676d6ad63ec332815c46f1563

SHA1
3e3ea47ce958c98b00e29171ecd1c15e5a77b822

SHA256
6f13f2f522ecbab28b4d67a3f86116e56ab0a23ccb7844e3aac5c4c0c9ced336

SHA512
9321180d5bdcdf4e29453eee0dd92c040bcda486260af5477542fd250023c37f97e489c1d19cce80682812b28b4d56d64889c19428206e919b37cd2a1a825306

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8e36da0812ef76263631b5f919c3d3f4

SHA1
1e19f8955d5306dbf9c061ea3374430cd73f76ac

SHA256
63521499f2d9a05bf1bec987569cd8295d10e221abb24bb57686e2fe9876068a

SHA512
df432fbf5d73400e8007d0be124e78eea713886b187f54523954d5bc740617fbe47ac6a2cb1a95fa1fe49624bf10cd11066ea8dbc235f350d0841e2ac10b180a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fc14db493ced0f14d735bdbfc88aa2aa

SHA1
40b9391d53dfe07eae8e2a31758c522997473e53

SHA256
c464267326176c2b0234e0af781b2d5b162bdd855b29b245b0dda0f69b4342d5

SHA512
0a83d6522996913636a4fe0f7c83be935c4324d8634c265f1e0faaf6a420e9291d4cb465edc0aeda96d36c8fa9a835ab3570210b7649a761447c6034d3673e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
39118cb8cb6b517bc9faee6a3c5ae1af

SHA1
dc4b849d3914a45d73678fec45cf3306c7b2504a

SHA256
15ca509605ff3b3aad91651c6e33b453b4485d09bc123a57a2a462a6d084d4cc

SHA512
86862df0ec7fed2ad263238f8575e1424e9e7ad7a5b724b7aa9220d3e4ab217add7c6bb5b08341f55c75df38a010dc278ff7021feda503b6625863cee38ff4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
94ce93423000e87de8f34d1ebfac3e84

SHA1
57b962dccca40c0dbb83a7854cf6b8db91d6488b

SHA256
901b1b3d908c542062d487288dac878ebecf6b2e5e2224ed29c802a14ae4d127

SHA512
bdb9ba3f6387eda5eb91de357fef5d3c47f4a80cff20025b76386c8be40ae5f438b524ac0995e06b9f6934c3460da42572eeb773af4fdda7372fae7b351724ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6da95a16d72597add6e476b3c030c54a

SHA1
a3f43cf14aa70c1206f747a7c0f355c42e8fd9bd

SHA256
1624e7e248ef7a99247f3bcf5f7929109f12d0bfaec33deec18afa3134b10fa6

SHA512
2420a8454dbbb590361764107f3501c22047e38242b36de40cb2b6983343002ca0ff15c846821a4fd5a4a9ff1d2b17718f27f9b72b4b74cadd2e3c512e521062

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ac91b8182e11f6df3fbbfc25e81e0636

SHA1
f725bee196c9ab890196c06ae57a02ab4386421c

SHA256
e46d3f0dd00cad516039a36e546bd8b725cf6dce5c84d0917d566a4877fd17fe

SHA512
0c8e4bfe787982812a6d34e4911a3b73c76983d8743e87bd2b55583e6ce53c4a744ccfa92a4d5e3ce5d0ec5d0a6a47d001630eb83610d790c067d580b8dadd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
897caa07a23d3cf392b9061ba861c076

SHA1
f71c8acfee008914d503ad1ee342118ab3958f72

SHA256
6d1c254995a22d31c3efcee1612d7358e0d77c0ab93347124f879be1d2be278b

SHA512
4bbd2a360cc8b6aec48f6a3ee7e8c7a3f5a3d7944b79c5a57a10cbbc10a77f8be65223a5a255eccd709818b66943866485ee6416814b9ef67708418926d52b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
28b701c8f52154986239723cc3726ebb

SHA1
675f18ede9f52d90a8ca7c711a9191663f408464

SHA256
19f1225205c550b2ca5e6912dab2e898f2e70578522155f7863871e954c4386e

SHA512
45df8fa3beb97475152153827f678c142c2547090008edf1497375246de37055f869c7bba481d027e3a1c49c897d5eb3c1b124c08f16a9460494676b58cf2430

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e1932c40c8198a3e2f93839eb6e39f57

SHA1
c4c59a420769d9781231b15380e5044ec13564f1

SHA256
ddec5962140fed783ba6e5a7e76459407df0fa5a991b974f8d5a05c6156b7bdc

SHA512
cc24af8ac7b8aed1335503b3fd7c5c9c8f0206bff1086bf1e79c3670e4b8270f6fe8718b8c73aeed5c97e5f9ede985c4cff3f9fdfe6d6ebd476cfb4eaf0df6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
74f3dfa35747f694621e03cb94ac75d1

SHA1
ee4ce341c2cb8347081faac5ba0c6a6b7ddab9ba

SHA256
fb7f7ef69dc89ec9fcc2406ddd558668f3ed45b2da7f362d030609a2946f2d9d

SHA512
853c238bcdee59f0cb8ee01cb22d6e5971e2c539bc7b58b3f4911946c726bf33c6aa040262611d38a2d14c2aba24659fcd58a03e05ff8d7b88bfa5d5c0b15fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
03599e14b1193c982097e4bc75fd3752

SHA1
9898828697c1c76727645a32d678711d2da27cc9

SHA256
46264392aaddaad9f59e6603f2bb8b49b146d064149af32c4ecff1281feb69d0

SHA512
d4fbfe60c5383dd3f04e6f92ab912d84988030e9b71f7b217527797be83e5ca727967d37de851623aa70ab004a97ff038274f42014ff58f89edf18f2fba030e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e5e643dc01cbfe0ebe7c91bbe3eb505

SHA1
49573dad6d00009fc92cb8394033c45575421bf3

SHA256
9d181793d2a19593965c8bdfc3f5525b1337bed39154fd3868a5bbef808372ae

SHA512
9d03eebed8e3901c3edf7a2f6b66a4c93a831a03e22cd36540ab1c180f284ff6b7f6c0a385ffead34e25d0ba21386d44bbe18e5d8b65e99edf0fe9d86d221979

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f1729397ece5073ae1ebeab476f5a6ad

SHA1
092e2d5b4e314f6171cc00efa1bc1419cf12a1dd

SHA256
aef19064848f23c42d97d58197875af6609d19bca22388e4d09ee3ffbcbb76bf

SHA512
ac462ccf63d8dbaa9118151a74fea37af38f3ee7d045e65493f383b439ee0357538b222546cec1bde31bf1d235037ec4872e74eb29bb6cf9de6fdf414a16969f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
66ab6d9cb9912c88c43ea5ab85b0e709

SHA1
71710102f17da0334d93c4779faebc39b19c041c

SHA256
802d1633068cf4fa582702c96f5817a9b75a826083d08843dd8d3b5375dbf8c0

SHA512
2814ac0857f5e25d152be129f042f581a7193cf5de30f1a45141cf8b2b9aece33d91b88c2af9bbeb11d4b69986367ca6352ed72da6360704b8c2bd2400289cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
88f065c2964c971b26632b2346b41404

SHA1
06c0de36121c63a17de224ad387650e7778026c7

SHA256
72ef4ac03bcc55cb1198ed94b06d1a660d98961bbf5f7e9aa3eaa99f9df59bc6

SHA512
0d6c955444cf68ca12afd69c3dc5933063aa3eba48e7390593541a366e1b55abc25e48421655517575717e0b7d325f7d37019ba1ed571a7f2fc891cf40d8ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b9fb4c4f3cde782e49580e685a3b880e

SHA1
95652a02c01604fdb07fbc14aef17b885182e917

SHA256
0c3ffc276b2241d6ee8fc8a8efd341405240a81ee868dd868da9a71010b8a59c

SHA512
5722d3acd48eb4cadce02ee8b8a2bbf4ea382048df7f060ba1941bc5a7ad101f40b80806c2283d1d051c894a89cae93431b16298844abf5e76cb4d1a349e8175

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fea27f98887b3518874e5d109efcfa92

SHA1
addb1151507f6b073fd5a37e14e26a582f0e94b1

SHA256
313dd66202434ce348e913c1a9c81b236b252f77e59550eea42beb2f8dfdffbf

SHA512
8eb82c322e3f02b431822ff6f9b92d059e4157c5fbfbe513fd697af35d93a70d061d39097dd9d60733adacf51e03644c92ef3dd3f11fd3ef1923fe015682d78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4a5e83dcdf947d686244518cd9f42200

SHA1
c0bce8ec5e5f3722ea48160f0b8bf2648774df38

SHA256
283130d7ac6e9e1c1f3005d6fc18b7e914edd6a512144d918580b8844f047594

SHA512
542693391fc4a954322fd1bbf127aebb2f841872bb5a4543c70df1f35c2d58c4d0a0be16f435473c3ce1f31ac40db2638fbf764f0383bccb755a397429a28442

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3fb6c989ae10f0ffc237315d8377f263

SHA1
8e1fde1a7799aa917d48d33b1dde056779bb5bc7

SHA256
1711a0c135d265e8fa43f0c2661c518ada991a50940418cf4603219b2c56ae46

SHA512
a983d4659b05385c3284770c89b3f075fc0f1c101ad050bcab44e710ac88e66b752ba9dd4d36b2a2eee0eaf9a84bc65e7656ee45bc133d3f234fb28e30d70093

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ee90ee061ec7b8b92fcba516301ebcd7

SHA1
1de4e2d39e41d6a8c35ee2e44c06cf8bf725d759

SHA256
1c6b4f18d02b7ec468ca994a6ade47b5f6b91f46a9b4c733b848b6f5e0fc5de2

SHA512
0fd5b6a5c178c3a44c19e8b9c5743213ba94245fda42d8c592bae36ffdc9ed041ab85a128e933778225aab131b70f7462c7e8ef714be64eb6aa002c7c8e07327

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3d730b9215fc81c68f3b01ae888e8ac5

SHA1
3966f78ef0ec4d2a8f6335634714875a2ba54ce0

SHA256
add4288caecfaca2be78d174b841bc3bf4087e3e3ab426ab9b5fe99c7ea5780f

SHA512
6e638ed0019a4c209595b5bba80a0a8a180193ddb204696b47263350b24342eb2ee4f23635658bb347ddeaf1b4c928394a758f4f2fe4ba959522064d0c24a84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d25f4dbc43f7c58ab68e9ae8a0daa7ae

SHA1
f7da6932878838ab829abf007e3d9e25df202c04

SHA256
4531d57c16576bf605688fcbb34783f12f7a2c67ab45dfe6a4022ba83ae5af5b

SHA512
c8c2ee9ba093db4ecee2c620eb1527b2063a800abc2d9d3fee3624a9a61609d41870ddc904b51f6c062d48463cd2c11d90c609925354e54998fba9362c6600b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
abe91ea57970ac6282e58c9036d56cf7

SHA1
7441afd4bdc07dbf0d3d9f89191b5ee5e9735278

SHA256
a5ea2e5d1755b90d2fecccd2cd2d6db40d5b1b3464bd992239df162d33c57fcd

SHA512
60abde29626b8dc040771ec03729ffd4e8fcfc3387b59e92be9042d34615a3f4247e8173f64ddbc499cbe17ba41c70f1e5f1aa9d37a664820b85c4665c85b3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ce669c96c8df2d226c5ddcb2d6f82841

SHA1
3791a6f811f7201c0d582f09d786cd44d648f325

SHA256
aab70f9a2c0c6d786de3478435a7a05bb06e6d91a08225c5e60696b83adc85c0

SHA512
b5eb951b028ace2098a8050e127577fe20bd02a847e951603c12eef432665956ae069dd5e99cfdeacda0297695e49e55ab881ddf5719ec9461b6835d29e0aa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ea7445865da0a251da77d5fba978d7ac

SHA1
069517ed5ffaa734ac9eb7fb834cf47edb0d686e

SHA256
ae52c010ec14f7ad8e29abf9e249e9b7b47522040798ef09b42b0152ece205a3

SHA512
8949afe6939b9ee54fb5a1176130692537593ae8036d075e314330a5bb0fac15c48bf73e4a99de1aef72de08b96cff0728d01f6f928403a8903a7fdf2ae622b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e78cea89d0de02316c8964bffedee5e8

SHA1
8bdb7ffa06bc3449a7dcab32e262929217bd25ff

SHA256
cf6f02a610499b23c757c81ea342ec922b92563963641e810bb1cb7d73ac4deb

SHA512
30dc977107ff29b0efa05a06c6fd54893900c93d7463a43d132b266cc9538bd9efb908a0bc6d831adf902db3a4892cee76539991af7e00af9600b0769a125c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
136a737e34eb7e632537207a9bde80ce

SHA1
73c6ff8681584981bf1477a6ebace9c2a9d4f25a

SHA256
0498bab7d40583f42b88237c4e0a9e6efc6aa449a90710b61698c9f314070809

SHA512
91b58bfbe4ed96c49376752fbbfb93021e7fafefc9577855cd63ba79e7e4df6f61bd0a1ad52e7179ad29414704f66d086a15d1934ebe3b8ad7beb3281f258c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c68e82572e473f9f6db380855477e099

SHA1
7a2c77d08d7a0f1c022bd88e4ba6224d3fbecf46

SHA256
1b19c25a413fd853c4fac44b15f2d650b2a52d4c1f3220fa79ebee1a7f053241

SHA512
a97c2c2a63c30cbb76bc2f004034f5c667df581588d67a4eafa97246d1f54a9ce1ac91c99ebc9ed27acabb1516923b7bd8cc646a291292fb3313240c18c3c969

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
93fba2a5e353e5ae978993dfe07a5386

SHA1
682b4f8da780d418a47074e5c9bf8042f7255123

SHA256
a91baf4fbd404aac56c9e1c9fa2a72130f80b73c210d9dcc5c669fdedaa78580

SHA512
12c880b3c45573fc6d97f82c519ac6ce6d31eada9c9dc0d6fc362bfa14442359b6bebcaacc1eb21a143a2c4b9313ea00bab93ffe3b05eb8ad8ec9298bff55333

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4e7a8792e9a429f9d0371a854dd482c6

SHA1
06302947d1fdfb8e64cd7ef4b67eff858f62a5a8

SHA256
681abb9730deab79a05d1f436b53cda6f245b3e47e624da9837bb2854a2cb085

SHA512
e2e6538d18a38e17c57b9fc857576fac9d965950d6b51c3724cd6a16bc50c74429badf5d0ead0968ab643bc68fa3e8a096ee6afe387c25ef342aca949f2af23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b530b1bcda56d37eb3502ab92f9e7a97

SHA1
1a992d10998d3fbc278f02e20516349992fa8d85

SHA256
d2e4170aab7e2d1d667307e0ecdf9d888da49d387dbafa5dca2394b273dfa49a

SHA512
5e58b6791c46536a8e8087fa5ac9baac00324821df4b001692db9af90ad90047370d52bc95dc1fdb939460ff2bf58447b80963ee38ae9175351ee017688402a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9ea97d5c37c152fa1049dc78bc5ccf8f

SHA1
612fcb79a6c809d8d0dfb0da86936ca4d9d44ca4

SHA256
dee64b28affe4fe792aa1cd50eeba347bbd4e8adf3a0612eeb5ffd4f8082a848

SHA512
65017b8806cc7c70acf9a7b7dccba6d30a2410eb46eade161dbd225d5756749857d38f14691a5c183f7a61b925a69caf3e519f4cc7ef4458b6c6c40282c1fa98

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
85c31a81f61d47e53eac17d6240d4461

SHA1
203c0d8a4969aa838668c2218921edcfa7a36ac5

SHA256
39ed775b310f7fa797e6df7e9a6510ba0dcc9c844ffd21203612de34a515fd6d

SHA512
f0e555191c73f790f5a5b1ef93da26a8e2c61461ff6955de9d7ca47108c0c67bb0c3107b7f827c7421f77730fd79e1912ae28c57087b20445a38140035bea097

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
779666bbe5b667eba080dd33930bb58c

SHA1
600bfaa98d4fee1273565442cd560e22eebb210a

SHA256
3df98bd67c1d99699c0a031fb63726a479af50c724131554e186d4c1bbd673c3

SHA512
ce0454442c7e27a3d511f9dab87fc020213e59d3998042b313959a74f9ef29e3f76231dd3dbc6fb2bb0379bd7c65468d2d6fb9f3d901046dd345533130a99294

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c6bf065b1b5b4f036e5ff430e4abc2c7

SHA1
e2b5d2f937083de04f3c0eb8ce51e676820bbe97

SHA256
35de088eed9f480f419f430d3f83bdd8be4ff283b095ad66ffb138f727d12f82

SHA512
40ae01d76e4ead720dadfbe8117f616172a8c08f06f7928eb2a156da5908bb88751665c34d39ae30a9d2cbbe2c417fedb037c705816720778c4e118418df2633

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c65df922fd1f6518d9c20c13c82cb415

SHA1
317d8e44a611e15352f1a6a9a07d0aadca1a32ec

SHA256
34422be8b87995261478673aa5d950904f2eb22151c9f6a42988cf633becee32

SHA512
3df43fb44f759c66ba212c4ebce8079a770b36a7a1b3e02853bab6b7c4cc89e7c59b6e1c01d1770d77ea97a389d599889f5437aaba94a87a326c49e7a6fffe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
77c4eaee30cea3adea569afd908de89d

SHA1
8443b56712b01de896737141272e53dae5079a7a

SHA256
46dfb8923e36e20c781e0caa54b859f5e85c807ffe062e4e8ef75f00199de995

SHA512
527159916b1dc3ea9d7f957f0b654b7f5508c46d29b3a3143a5bfb94ef94f88b8d6626159155143f7900f96963be94fb4259e27d4cfd8ca7d463dd9185830d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e584617077bd47c70bc27cda03b4e544

SHA1
a045cff97895aebfe20bfec7769c97cc1e18b6ae

SHA256
990140015f19ae4172209ff5771c68387ba03d26dad5c58e8f7137ab0cca9993

SHA512
106fc1384fe22ad84eb6ccbc1d20e4a2c519aa5518be6f917b219d00d8410dc92902c6d529df4072290c4fe09fb65c5c574f0965fec380a2cefe6256beb755fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
427524eaa91f7e562c973e357b6c627a

SHA1
2e258770567b11e042b0b628b5572fba8a15d3a4

SHA256
61d74754b0775b10ba78ed4da9a4671f021b30f4d20538330ef27e4f3ac97b73

SHA512
c732af93eebd1477af2287821d367a5d55d9e26bb9a301b2b17d127899a9a25acb1fed58d8ffddcbba9cbb5b2aeb3c72cde6d1195134e86fa99369d04deb502d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3459cb662c6b78a1bb3f86614df09000

SHA1
e40e979d5a217f38061154dd48979e7b7574bbd0

SHA256
38d0c4b1f89f663ac3ff34f932876ce205acc84cbb8f5a253a728236191a920e

SHA512
5664ef948b5fa221199b64c89e88f3d4af302bde78558c2a5e2f5b052af9ebe6010c59ade62b513e85eb8db323641736a449bd5ee4625bc7785e925960f7dbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f6cb6e795cddf1a63df0f6fa8378d65e

SHA1
176bbabac0af9ea910247d7425ddd4eef9287bee

SHA256
223ef91d327ab2e3fb101d5292fe9dac33d2d393ea15f3ec349dde558db12cdb

SHA512
0224665ef6e285b68040b0909843b4a121703ffd4303182e36fe1bc6f8be7b2bbfc1463b087b41e9cf59fc1f711502101b3ab3307b00b288a2e4c67d54bb8d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f79580f8c5093b7e6c07940ba51b009c

SHA1
940b270b2aced99987170c3bec6407d61e75fa5a

SHA256
97e4f5c4b9e61294d22ca216191baa8f5495d7bb6f8d2dc4910983505d8d0961

SHA512
b024ae3851d48181cc48c798db26aff96d0a562680164ff2fa55dd5f2b8d9986a162771017b8ea99ec99a1b04a151b370e1ee8473f0562d93e15685b2942403a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
db52122cdef714b6fe8fbfeec7577c0f

SHA1
f04caca85e31f568bf13390fba157da25b88e4a2

SHA256
e98093f2c1f9e8d92a70c440b3f23f97b5c198414bf011ba9c7ee4396e5206c8

SHA512
5354f3aa0aa43fcde2ae3719b7425685dc8cbd36b3cf39db3bf41b26594dd7a39fd99bd0ce6690eb29f926cfa03f226f99bc5dafe4b40cf266e6c15e55b309d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
29d963b3cebbcf85b88c4f1b2066fff7

SHA1
944a6d7a1f02824d106acb92c72f6e55f3466348

SHA256
cc46980bf2c2c8e6eb31c05cfc2d97365d9f893403453edd7dd1a3572f713060

SHA512
e7efad6ed8833e1988bd276c8c5025a790a4ae991df914ddd51cb90830b8739238433bf05870084f5d4e371f7b6670e6a4f7b7884abe2fa854d7e28341681410

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
56d394ed229d60f4856d1a0a9a8669c3

SHA1
8d40953bd9343f49f543fa82921d15aee8f9bb9d

SHA256
1b376452f599f78f0bf5fc75641dee3f5d1d3df7076de4da2296d7b36c3026ab

SHA512
85b5cab56fe04c18f283495d899ddb3bb2dc570bf8588cab15cc3624ed42fe8c337d9f67c6d06de7563e519ad37461d3fe5f025c04277665187fd7a108d81664

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
798cc56848a737f2ec06b0cc88e2c0ac

SHA1
ae342b8c04bc73b1d9818556508cbf6b7815aba1

SHA256
f550e2b32aa40a06afd71420dced262e4571e295d07e399aef715e54a71aa5b0

SHA512
c66dfc0b250975a517e9df29dc589d73b027aa814192200e39d9e930c50f73fe1fa08a9fb1a4c50cd9bdc575b00517919d4ec9138c61365cf0f035a89cb46eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d7e4c17cbb59671b65c368fdbaead793

SHA1
ed4e828508aae3d9cdd4e24cc631068098303070

SHA256
b3d3084e7e11b39d1c77d21149a223f1cd6f9195569635a0148538fde54f6823

SHA512
8269fe353c8af94fffe3346cf74fc8dd436bdb35671228d4e7ed47f574cdb9e9c35bc58932eb8fa23182bebe8b4703a49449ac737fe95dd51c1c458d5d5bd2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1204a03b4ead28db2ce9164c78f8fad9

SHA1
a4fb7c8162cad85f8a127d995bc68ab6a8a2da35

SHA256
7cb72e16dfb61622b4532f95d451fa490864f71d7338571a7bba99d056ed8a66

SHA512
eb54ae51d6dfb2bacf81163a6047be79c9e012e7f3bd4296d27c35d4d4b8e523d5070ecc17eccaaa1e5ea2b4ec16157ffda374ec4bb53b85595098bea88d412c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7188b93f16d662e342f52f1a5b1f8573

SHA1
0e4340859ed3e8ec4aa6975a9ce648f6da033a39

SHA256
3ba99a67f86bc6dc55b58602b726fe075b5aafaece1897ea143ef2c330fb5634

SHA512
d00972a1a122b5d0c40d99a44742e9921e3f0befc5279c77c1067725d2be493c4a5745bb0a21317609bca4e6dbe5ab0ddb69542bf86a944d83feeabd40f1b339

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2fc7b39e1859a243178e39bba8652a49

SHA1
4001affd0abc860f954afc4d0f8569e944fe5cd5

SHA256
fcc9ae0ccc620fca569c875c239f632b17bc0f6e3f64d9f759acb7dee416b15d

SHA512
62034a14476c67c199009bf6d75c551caed608dd4119484b54e194b681c50ed0d6dd82becc23530eec3d3b63e6af17fa44f4b8dc669e76257033f18dd11a341f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0db82899b2091867960aa31b09fa9af1

SHA1
0606a35ec5091a08f42adc742fa53836daded943

SHA256
e431c199d4fa9ed62f19965914f0bfc83ef477a42f7540aeb491d3cb8f0708ac

SHA512
24d041bf43a42b6ced34bc24bc5bc029c87f732f4b81ffe6b92850e92ca8937fc1c249368b2c9a071c773eac6421bf97d7ecde0329ea2bae106e30ab6219fae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1b7d69690a4602339397f0af08357b7b

SHA1
9397eb320ed3e8f70a575469f525424b375beec1

SHA256
fab7de899b4fef716a72a9ac80abb9fdc87484b8c464b32d931cb2d1a69c32b6

SHA512
55b4d8d3d731dc37247ed7897720d44b922939dcd4bb0a646e3c913220aaf5bb4853d409402e6847ba3a505bd678bf0273e248a7f6e488ed842147145ca48563

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1b4fff3a6be1d88a10c967f3617f0cb1

SHA1
98643369497f7d60b502865e3340e7180d551052

SHA256
84bfee9c2cb665f0a04505dc7f523ce6ef7999d59258c1892dce4f9d9e028f8d

SHA512
7a043a4446e7f94abb37c6d2903d8ff468a253de2b1b18e6f831315ce3903f549bda0e91d2f1dcfc22d94ddb718a39bc2ac9b91b37fafe1838c8ad0d6d13c329

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
641840aee5832e41bc209944f0ae4926

SHA1
9eab731a6ce25852826d04055cef1182a735d1c6

SHA256
d1a138bcc918ab1ec9d64bf3740536590423075c90a4743f7b6ad6e939a617c7

SHA512
8bcceb5108db6c6038bcf9a2348a41580ea75d5249b67d931b8570904fd2cd40fd467807517a4a1ffc53b7ea7fe926983f7924b0fd7e5f9402f6f934c0585954

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6b675a7a8d56dd94c2490540b0c4815f

SHA1
1af47ab4eafbb2e0aac5fde93ae1810d589ec6f4

SHA256
a6095cca06f3f79012fb06accfbe20cfd82a8a3611db9e63cc1880937c9d1583

SHA512
85e30106e33286668fc2c4d86724959b41ccd683f1d55263107872f72125f3c463fb0e21239d0c9e14cd48310218faa1ec6bc3ea95d1731ac2b5d7631538f7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f7d1fed91a1cfcf2384c94fa0829f78c

SHA1
60bdb5a14589bef1a562227436c1606c4cddb89e

SHA256
5cabf3fdc1f06e3f0f6b4cddcc8f3597b552c58f00a0156a0cda3747f60653e5

SHA512
da52d6bd4546344aba5961e3dabd12244c78bf23a6eb14c8d6c5185feaea21d61c6335bac32ceff0c27b1b402e0dadf5653ef8f17c6ab1b02edd278f51cf6bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b02eea79c88446df3220a0008bd36352

SHA1
0075cda108b8d96fe8b48c1e99a0a15de6744e4e

SHA256
3d2ec69572f120aeec1c012987a3f6ca69da24f900a6ea84c9a52b8c271eb5ad

SHA512
4383334ddbb0f059f7c8fc7bd4c5f248ae53c79b96722ad1ee48c245f825862da162f274733e9d72af2ad6649127fab2c0a41737042c9fc460625a82dcf06885

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d4b4c1559c404d3a2c305a76bd85a7d1

SHA1
e5866ecebf14f0627f13db359a3ffa753157940d

SHA256
ce72a9547af44ab1abb06e6203da12287a2a6b4451c253276ed0ecb8df7c5055

SHA512
9f9bc2ed0d79022485a5f4ede9319617048233a1c124b3ea2337607f6afb04f4419be1f33b463ed48229b548c992064898acb80db6ea2c2242629bd6e451bdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
db5f56465e65380e3249a33c0bc1e69d

SHA1
4a0342d2320542dc4bb3544406961807381d8199

SHA256
36fefecc917e1b1426b2188b8ad39016d8362de320c6ffcddd7572f1e649ab08

SHA512
69cebb43b19d61bf1d9441735977e660a1acd71a9cb8dcbb89b0f9f949779f5a0eef1206a0de75ef3aadbda8f15ab9b9a482db5c714cbb689a38f0a84d1a835d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0b73ac4900d675563ed289094d3e0e9f

SHA1
877c7a2ddf9d27e422a1d3e87d2e40ef9d006374

SHA256
5fcaeb771a00d428e364c3c7c1ca4fdb3f3bae5729af33f072ae6246cfbf82ef

SHA512
b2ee6e1787cb0408926de0a7b04bafb0e5186b53e3f09b84cbd7a54b0c0cfd675242c7709529610fb85afc93b19cb4f482019615335709be765c946a3d77999e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7e76c09beb43afb0de8723a7b77e8e52

SHA1
a94648d2ad5efcc47e2b2b42f70ef3db0b3c89b6

SHA256
60da262afd4549e74a6b027c41168b6ba12e678e34749e168d0487f6ab398524

SHA512
e6aa7a1bef832d2ccc994a4eb8fc2560a0e034708236845a880f65cd733de34858a568bd20096af4977b1eb74517438cf97272a30f06fa3de6d12802d0486cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6735b0ea0af5b888aba15a70cff162ae

SHA1
03b58bca37b72636edcf5e0062de321184b2bf40

SHA256
d356ead1d8d0765dab6661607c51f52702d08872f53ac6ac836d21c4856a4fa9

SHA512
dd83baea189387bc651ef22847ba3e2b35a3a8e7c3e920e4eda5d0ada6f00db838f251462d7a3b955697ad9f7fd79454d4555db92f612e300cfdf778293b187d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
98d3c571a79dce31bccc9ebe04c06730

SHA1
d3c9cf974a3fdde603e5dd4ef2571916652eee43

SHA256
a5ef2b8bcc84268132e8f7bb79d22a537cabb57a2bdc1f4456f24189f2f48bf2

SHA512
0c78aa1c1d5c6fe576090b81d84e54cf3ad9ad59e8973df9a413e16136cb1a8dea8a032d5f69042fc2d718a511ea3623ea5b2c0b8ba4246cda49c6b21cba60e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
de6f156059710feccdbbed069cff773e

SHA1
214af4b55f4779d9ef1c9def05161f852af10ba9

SHA256
884de8a2e1e93960ef147a2ed3956bbf5d9e1328f74ecb25d634c04e9dd9325d

SHA512
db4d5d98a67653029e06dcf5ddbc8824ba63c863f4ffe1bcbc0b734ff0ffea43dbeea754a7a6152e24aa4e45e76891bcf0d3d30ce3f4d67de4bd0f712a59769c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c6099eaeb8f422702f0eb972bf27315e

SHA1
a49716e01443adf49a481827feac9baf7d3aa52b

SHA256
a7a8e7c49080b28c15cf6892d3c046e9f47ca3e55c7e791838431ffec9eb1b9f

SHA512
b8220318e303005a821dbb17dddb7993718b24d17305ab684a20f3976c0ed311fcc5a8d349b70e54c68addb58cd2db91385336ca34bd8ea2c89c4aa8a74c0f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8d8207a1be5472088316d1700da02a54

SHA1
845cf9f2fa4a1af108acfb6086e5881c6223fc09

SHA256
e1553106acb89eb6a03228b52b2d538911a31e8cc4b22fc84b733e9e12736fbb

SHA512
60dedc92ed6321799115a971883fcb1e118b2a3afa5c7e091499760313f98eb4fb0c9bb68fd40ae677678c223c10dc1dbadcf3042bb0d4216b8bfa5eb9a4c001

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
db86bb3636c4f868120a151c97ee962c

SHA1
f63fd0b4931dcc03ff8021f778014d37fc868801

SHA256
7a0821f42ecec0b3fb7767ebfc13cae0419f759d095e299e617d59bd4644ef5e

SHA512
12e7985353e96f1121a12623c6a35e8073f5ab9ec5d1b03e79e7a521e156547acd225af052c1def0fa00572a95526cefdc2db70980a01a9fb946960a7198ec7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
839fe935ad8299e393bdcf2a7cebe66b

SHA1
d2fae74416cbf3c388e474d882ace117ea2de9f7

SHA256
e069695ecba1ba576eb453e70aec3d40e9c788d38f8feece543e31390140efe5

SHA512
bff3165c927294e5f7926c8957eafb36d59f18297d8a507505d8ec5adbe311621df9393d9d5667b50bb77dc6e9c1131361db1c289c796475d78d7144e18c3b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b82196c1d81a8e0cc5588ef4370f27f1

SHA1
21b5e13be136fe335ad45237b850a492653dd8c1

SHA256
c1d5da3e4fc3a3cdf0d36e34204f589e5dff22df5843b148e9c9a4847b20bb67

SHA512
813d79af8b69da3d15e3cdd2bac50978ed1cf7daa212926e71797863a288d3392498348e16025985fabd31577508cb62c285584234dd388192c6af70d6ca2ddb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1045960512-3948844814-3059691613-1000\699c4b9cdebca7aaea5193cae8a50098_a4172161-d53d-48af-8f36-a00b057e74d4

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
a9fb98810b3861c8cfc422f7bd82b262

SHA1
250dc2c0202e7c9d20b31b6834db8b33d3e433c4

SHA256
33766b7c3c3f5f89a771a857fb7cc9cc9fc36b46cf0042aeac945f6c44d73329

SHA512
687f4b944cf451f2dca0f434792a5bd740de4adb338188ffa2a566eff5835580246b065d5faeed14f377f569a746f53ed2b3735e2a807356bb0702d560054182

Download Submit
C:\Windows\SysWOW64\Driver\ctfmon.exe

Filesize
483KB

MD5
12d616d93ea21ec2962f5d97485e987b

SHA1
1b60be15ba28018945b498a259953c0034af94b9

SHA256
26c0ed3277683d94f9fea0b579ee8d13da7a5b904278a2acb452c4aa505b8d69

SHA512
f96dfac790793b924751889c59c41cf5b323b7d8b31928a2744d065b4a3c70fcf4b30b46d3a73ef22e02294c585262a0250046ea1350414d3fb458c4c383ae72

Download Submit
memory/8-175-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3284-182-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3308-38-0x00000000022A0000-0x00000000032CA000-memory.dmp

Filesize
16.2MB

Download
memory/3308-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3308-21-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3308-24-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3308-36-0x00000000022A0000-0x00000000032CA000-memory.dmp

Filesize
16.2MB

Download
memory/3308-28-0x00000000022A0000-0x00000000032CA000-memory.dmp

Filesize
16.2MB

Download
memory/3308-51-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/3308-53-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/3308-52-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3308-137-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3308-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3308-60-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3308-57-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3308-32-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3308-27-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3320-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3320-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3320-62-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3680-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3680-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3680-14-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3680-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4072-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4072-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4404-47-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4736-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4736-25-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4736-3-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5116-207-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download