Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe
-
Size
191KB
-
MD5
3874199af9bef338ffc8dcd9a9d2dbf0
-
SHA1
14f4aa746d391393bd2fdd112a430266bf20a8f2
-
SHA256
a80f30ee99a8d0d12abe3c6b631f8c8870d4f4f5ac776f1febb7cca78d7af964
-
SHA512
38c177e59a2d36ed2e25e61930275e474c4cc628485581393dee8202bccdd3576149416fa10b74c9b7ac192c689f08db9ee3553a8e90f06c7ac691c5c2a34fec
-
SSDEEP
3072:eyAaQqe90u5DdXJP45JQRCK5Z4AhJvKI+EXWML6KyugTxfvDcO3g+xJ+88aQ4VVn:eyAge9RNOQg+ZP12EX5L6154+N8apiPi
Malware Config
Extracted
C:\Users\Admin\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F2
http://cerberhhyed5frqa.gkfit9.win/DDAE-5801-9A99-0063-70F2
http://cerberhhyed5frqa.305iot.win/DDAE-5801-9A99-0063-70F2
http://cerberhhyed5frqa.dkrti5.win/DDAE-5801-9A99-0063-70F2
http://cerberhhyed5frqa.cneo59.win/DDAE-5801-9A99-0063-70F2
http://cerberhhyed5frqa.onion/DDAE-5801-9A99-0063-70F2
Extracted
C:\Users\Admin\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16405) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exesetx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\setx.exe\"" 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\setx.exe\"" setx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation setx.exe -
Drops startup file 2 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exesetx.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\setx.lnk 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\setx.lnk setx.exe -
Executes dropped EXE 2 IoCs
Processes:
setx.exesetx.exepid process 2784 setx.exe 3080 setx.exe -
Loads dropped DLL 6 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exesetx.exepid process 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 2784 setx.exe 2784 setx.exe 2784 setx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exesetx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setx = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\setx.exe\"" 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\setx = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\setx.exe\"" 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setx = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\setx.exe\"" setx.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\setx = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\setx.exe\"" setx.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
setx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC980.bmp" setx.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exesetx.exedescription pid process target process PID 2472 set thread context of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2784 set thread context of 3080 2784 setx.exe setx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe nsis_installer_2 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3424 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3632 taskkill.exe 1708 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exesetx.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\setx.exe\"" 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop setx.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7F378566-32CC-194C-63ED-AAB4EF64314A}\\setx.exe\"" setx.exe -
Modifies registry class 1 IoCs
Processes:
setx.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings setx.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setx.exepid process 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe 3080 setx.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exetaskkill.exesetx.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 4224 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe Token: SeDebugPrivilege 3632 taskkill.exe Token: SeDebugPrivilege 3080 setx.exe Token: SeBackupPrivilege 1596 vssvc.exe Token: SeRestorePrivilege 1596 vssvc.exe Token: SeAuditPrivilege 1596 vssvc.exe Token: SeIncreaseQuotaPrivilege 2028 wmic.exe Token: SeSecurityPrivilege 2028 wmic.exe Token: SeTakeOwnershipPrivilege 2028 wmic.exe Token: SeLoadDriverPrivilege 2028 wmic.exe Token: SeSystemProfilePrivilege 2028 wmic.exe Token: SeSystemtimePrivilege 2028 wmic.exe Token: SeProfSingleProcessPrivilege 2028 wmic.exe Token: SeIncBasePriorityPrivilege 2028 wmic.exe Token: SeCreatePagefilePrivilege 2028 wmic.exe Token: SeBackupPrivilege 2028 wmic.exe Token: SeRestorePrivilege 2028 wmic.exe Token: SeShutdownPrivilege 2028 wmic.exe Token: SeDebugPrivilege 2028 wmic.exe Token: SeSystemEnvironmentPrivilege 2028 wmic.exe Token: SeRemoteShutdownPrivilege 2028 wmic.exe Token: SeUndockPrivilege 2028 wmic.exe Token: SeManageVolumePrivilege 2028 wmic.exe Token: 33 2028 wmic.exe Token: 34 2028 wmic.exe Token: 35 2028 wmic.exe Token: 36 2028 wmic.exe Token: SeIncreaseQuotaPrivilege 2028 wmic.exe Token: SeSecurityPrivilege 2028 wmic.exe Token: SeTakeOwnershipPrivilege 2028 wmic.exe Token: SeLoadDriverPrivilege 2028 wmic.exe Token: SeSystemProfilePrivilege 2028 wmic.exe Token: SeSystemtimePrivilege 2028 wmic.exe Token: SeProfSingleProcessPrivilege 2028 wmic.exe Token: SeIncBasePriorityPrivilege 2028 wmic.exe Token: SeCreatePagefilePrivilege 2028 wmic.exe Token: SeBackupPrivilege 2028 wmic.exe Token: SeRestorePrivilege 2028 wmic.exe Token: SeShutdownPrivilege 2028 wmic.exe Token: SeDebugPrivilege 2028 wmic.exe Token: SeSystemEnvironmentPrivilege 2028 wmic.exe Token: SeRemoteShutdownPrivilege 2028 wmic.exe Token: SeUndockPrivilege 2028 wmic.exe Token: SeManageVolumePrivilege 2028 wmic.exe Token: 33 2028 wmic.exe Token: 34 2028 wmic.exe Token: 35 2028 wmic.exe Token: 36 2028 wmic.exe Token: 33 2592 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2592 AUDIODG.EXE Token: SeDebugPrivilege 1708 taskkill.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.execmd.exesetx.exesetx.execmd.exedescription pid process target process PID 2472 wrote to memory of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2472 wrote to memory of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2472 wrote to memory of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2472 wrote to memory of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2472 wrote to memory of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2472 wrote to memory of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2472 wrote to memory of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2472 wrote to memory of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 2472 wrote to memory of 4224 2472 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe PID 4224 wrote to memory of 2784 4224 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe setx.exe PID 4224 wrote to memory of 2784 4224 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe setx.exe PID 4224 wrote to memory of 2784 4224 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe setx.exe PID 4224 wrote to memory of 2020 4224 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe cmd.exe PID 4224 wrote to memory of 2020 4224 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe cmd.exe PID 4224 wrote to memory of 2020 4224 3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 3632 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 3632 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 3632 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 1120 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1120 2020 cmd.exe PING.EXE PID 2020 wrote to memory of 1120 2020 cmd.exe PING.EXE PID 2784 wrote to memory of 3080 2784 setx.exe setx.exe PID 2784 wrote to memory of 3080 2784 setx.exe setx.exe PID 2784 wrote to memory of 3080 2784 setx.exe setx.exe PID 2784 wrote to memory of 3080 2784 setx.exe setx.exe PID 2784 wrote to memory of 3080 2784 setx.exe setx.exe PID 2784 wrote to memory of 3080 2784 setx.exe setx.exe PID 2784 wrote to memory of 3080 2784 setx.exe setx.exe PID 2784 wrote to memory of 3080 2784 setx.exe setx.exe PID 2784 wrote to memory of 3080 2784 setx.exe setx.exe PID 3080 wrote to memory of 3424 3080 setx.exe vssadmin.exe PID 3080 wrote to memory of 3424 3080 setx.exe vssadmin.exe PID 3080 wrote to memory of 2028 3080 setx.exe wmic.exe PID 3080 wrote to memory of 2028 3080 setx.exe wmic.exe PID 3080 wrote to memory of 2644 3080 setx.exe msedge.exe PID 3080 wrote to memory of 2644 3080 setx.exe msedge.exe PID 3080 wrote to memory of 516 3080 setx.exe NOTEPAD.EXE PID 3080 wrote to memory of 516 3080 setx.exe NOTEPAD.EXE PID 3080 wrote to memory of 4408 3080 setx.exe msedge.exe PID 3080 wrote to memory of 4408 3080 setx.exe msedge.exe PID 3080 wrote to memory of 1888 3080 setx.exe WScript.exe PID 3080 wrote to memory of 1888 3080 setx.exe WScript.exe PID 3080 wrote to memory of 4904 3080 setx.exe cmd.exe PID 3080 wrote to memory of 4904 3080 setx.exe cmd.exe PID 4904 wrote to memory of 1708 4904 cmd.exe taskkill.exe PID 4904 wrote to memory of 1708 4904 cmd.exe taskkill.exe PID 4904 wrote to memory of 952 4904 cmd.exe PING.EXE PID 4904 wrote to memory of 952 4904 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe"C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe"C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xmfir0.win/DDAE-5801-9A99-0063-70F25⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "setx.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exe" > NUL5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "setx.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "3874199af9bef338ffc8dcd9a9d2dbf0_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:81⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4064,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4884,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5272,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5292 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5436,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5324,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5672 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5848,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5944 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5908,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:11⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x554 0x54c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6292,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6356 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6328,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4736 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5460,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5b4601173193b3fdb7ac5a9c987244965
SHA1dc1a9513924212369181d7d219bfb8ec6752328d
SHA2561917037f9e8166847d5a532b230e6d3fd55eec1a3ab9665d5addd0257b184c5d
SHA512489cc4aba7c539d3133b85b9adb2642470799aa7a55c4b4a1ae6b99d8431c011a1bb4af7696017829e406fde50c5866b1022c09e2e4a64fa83655f74ff609079
-
C:\Users\Admin\# DECRYPT MY FILES #.txtFilesize
10KB
MD5e7409e73cad4539868ca427f6386b2cb
SHA1b4d3f70d9ef020676b401cd680aec98f69d87a9f
SHA25643bc2544e57b7bf14255a37bfc5ff863f3c3d5ec0d367187fca73f7fb4579a59
SHA51255e7cae89ff11b4c60900826d21516329fc23e6679539b43a8e377ed590507b87820fbce30c34ad927cff8d60d9db0f60108a705c953eba74191fdb8265a078a
-
C:\Users\Admin\# DECRYPT MY FILES #.urlFilesize
85B
MD5b276cd26a443459785c65dbc3e858f41
SHA1dc80495bda5960561c349b6921528b06b62d5451
SHA2569fb21b290ebb9791f18ed511f15e6186d6dc5915052a2f8734c64021f441913b
SHA5126eddb5ad6ba452af287e561cd4ca7562849f10fc82086dfa707c9f87221f5e50c215272c5ccad6b9578d10cf86c35dc97e689ce6e5b334e36e635eb83c2fa507
-
C:\Users\Admin\# DECRYPT MY FILES #.vbsFilesize
225B
MD5f6d629f2a4c0815f005230185bd892fe
SHA11572070cf8773883a6fd5f5d1eb51ec724bbf708
SHA256ff1de66f8a5386adc3363ee5e5f5ead298104d47de1db67941dcbfc0c4e7781f
SHA512b63ecf71f48394df16ef117750ed8608cc6fd45a621796478390a5d8e614255d12c96881811de1fd687985839d7401efb89b956bb4ea7c8af00c406d51afbc7c
-
C:\Users\Admin\AppData\Local\Temp\nshF109.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
C:\Users\Admin\AppData\Roaming\14.svgFilesize
1KB
MD503fca4964c3e6990bbabdba51d05364c
SHA176adc77af189a574671ce7a83e4b0f79be366a71
SHA2565f2229abd53f6a6d064e0fd1654534fb3c6c91982b90be99017911e4fbf2d65a
SHA51211aec001e784535a58642f5d0a8303427f7d9fca2a5b9a07d7dbba13a25a19b8ac817fa15bfe3633637ae40ff7c4a62784d99f2e51a8080fe708e89f329a75ad
-
C:\Users\Admin\AppData\Roaming\14.svgFilesize
906B
MD5821b4b1bfebd42f747465153006eef8f
SHA10283713c0f75aeb9ff524268cecbccea3c76a735
SHA256d1fae5d438c33909d34190ce684e1f646420c7cafd402008a6b251e1b0910e76
SHA512e18008e287b2f8ad6465836439d526710586a6bf0e1f77f5363d38f5fdf3115d41aa48bc49ed6de3ae279c256f8407414e6028ff6ea4b0532079dc411f4b834c
-
C:\Users\Admin\AppData\Roaming\5.svgFilesize
1KB
MD51dc37da15cb9363ca45ed9eea820b945
SHA1e09c510cfdb9280ff9b51c312492b602b2fd694a
SHA25658b9d08cde335dbcf22b0db8e2d018921b95b2b5d36188de6a99584fd22c4341
SHA51237bc1fedca957d5b9d712946d8b76a840eec2fcc35e10e96be29150ad8db9b14314831f14e5932ea46291a5962f07300fcfe5af13da2b47b775a8ae63053102b
-
C:\Users\Admin\AppData\Roaming\5.svgFilesize
967B
MD5d4aa38a90c2dd724b569ae28f314ce9c
SHA19041c2905b6a95f10ff1ce22eec51d76ed008703
SHA25684ebb2d82c7a1ceabdd698fe823cf23c1eaff7c73458b410fb1ce76c8fbb9b48
SHA51245d67e17bd0ac8e9184554d8fb378a952fae4b3654c1baad269cd750ce52a744f55bccf48506042f82955132f6a25c5429a3b33bfff7ce0d4383f7d230b579e9
-
C:\Users\Admin\AppData\Roaming\Adobe-Korea1-2Filesize
4KB
MD5ae6e76ce3e42a164f3dc16386372eba2
SHA17f9033a222218108bbeb011f956c672ea50402ef
SHA256c3cc324e8610138120375f8023eca6ba4f6fee22639bc8594cec3412e7796b1d
SHA5121cbf330e1219623060b367d595f0598e47868cd341c110581be4092c1c3b1206075143c5818a361a52ae08bffbdecb23430e9f5e083016c8b4ac69eb5119d662
-
C:\Users\Admin\AppData\Roaming\BaghdadFilesize
489B
MD5c9ef37edfba00afb0e15b457af8c30b5
SHA1e8b4bcaacc6292e57030264fff25bc0739f9989e
SHA2564ab1803957c4629ed07601a3b0ec2780c0336182b56356479d3ec939c1665d67
SHA512bcb6ab1c7784dcabc0429e3d0a9b6c5416e0fdbd9b99a891120724f1b7eaa81d9058717c0e6003574518b49daab12b9293198f1d8554aa2fe764bf27c1581a37
-
C:\Users\Admin\AppData\Roaming\BelemFilesize
297B
MD5c4f7dbf780bfd55650b460eb7cde3e3d
SHA10a2a148be00876a3be18a7debf587716e5b75f64
SHA2567c01888c2869320277f3cdc5591cc0da59276bfdfc9f96ce4d6da370d1319fbe
SHA5125cc7c3f7e8a96f9a73c8115ac217c3318b702cee98b702085afd286d90ea61141f33d806f116efec62886e7f0724199e24dbedecec1db1809b69a44a0c5deb7d
-
C:\Users\Admin\AppData\Roaming\CHANGELOG.mdFilesize
4KB
MD58e76b59df485c90b44b2516788f505aa
SHA18f751f7aeb7be74cc2529cfb9ec596fe07617b3f
SHA2564db6df2dc7c15b3f625a99d763018c8e44dd5d3f3b6194e8e6910e99c7e29bad
SHA512f2b2065101ed369fca9e375fdb00e1db999af98bc87737c40d355a4cb3c1a6c421c2b77fc9d75cd39290e44bd7b8434fe773d3140bdf8b9662a1c424c24c12e8
-
C:\Users\Admin\AppData\Roaming\CHANGELOG.mdFilesize
4KB
MD5e6f2520cedb0df21cc115a52eb3f7758
SHA127d37567e0739177af8915ebfd1d3f17fe53d52d
SHA256daf6ffb3678d5e74a87aa550af9bd34c6e049562a771b38fcc39d5f8ec1df45a
SHA512ea91d35f654f1275dfd437ffd44ebe8b2ec5690f32ee78c2507ebb807570306f20b18b22085a4592c215458885fb9dfbff5919f93ca19fe8e0be94cd425d8060
-
C:\Users\Admin\AppData\Roaming\CreatePSPrefsDirFilesize
33B
MD51f3bc75daaf847977f7cf3529e4c48df
SHA1f4dc15cada37c0eb4277dfb13f054c0c4e26f381
SHA256d4368f7873c76dc461ffbcea9c96ec52db4de2e97f0c02762b78b5af1d1b4678
SHA51201fee9822070f4413f7125e94a82794861da82f5d77dec0e3a1b6db90f605fc25f07926ef0fb4792e8e910cc90b868a89a50b16d5119084fe7c8ad8fa89df87d
-
C:\Users\Admin\AppData\Roaming\Cube Wrap.daeFilesize
4KB
MD52fbce568bf33721ee9a3b169e45e1c6e
SHA1f6843c7f30a7080102f54022378f5db5f9b54604
SHA2566ee6c6b5dd0a5fd77cbf192d34e34c906a5c8d03e8bbbdad844be0b3be0eb244
SHA512d74e7de308caf935100a7e68325dad64be10125ac1f458646967e44b8ebd3308c50d54d05c9bedf4909301cbbb43794ba05a14c3c1343a090691b4c370609fc7
-
C:\Users\Admin\AppData\Roaming\Dialogs.dllFilesize
27KB
MD598041c3b26ffcd6c4371cd6922cc9dfb
SHA1384bd07ad9523353d9c67337af7369834b52914d
SHA256c000e9cc700265ee10be1c811fac455fca938cb5b5144e431eb5286520af94cd
SHA512a2bb8a799dc6c4e25624fd3a6a21ad890c9bddca6fe0a698455c486e4525180cd6767f66db9b5becf06105bef38d924a34179c2416978adccc2707999183f9c3
-
C:\Users\Admin\AppData\Roaming\DubaiFilesize
65B
MD5163a95a3a62f08b92168f8d587fee2b1
SHA18c26887717038aa2a3d87ad95223f43304ea2728
SHA256e5e18fbc7153bd73932dec7870bef4664d2afc831bedd739eef8ca0da3c93161
SHA5123c0696dc0204359e197ffdbefc21373cd432ea224b0a95b2f78ad8e7d66ec9c9e870e66004c148a2a1229eb3964e9daa19b7d1d7426f4a27c3dfde9b95319252
-
C:\Users\Admin\AppData\Roaming\EST5EDTFilesize
2KB
MD519205afc9ddf867b7e1c2f8c09ca4bc2
SHA1f74d5966035fde6527038979e6c7a6ab76c16ef9
SHA2565e426725f89f7406c59f805f0c0c6fe8a3823ccb96b11eb6b053e2a2723c2658
SHA512d1edadf8aa510880da7a8b7b59450744e933b719f19ca8e14eaf3d20d15556a163869f357adb22a29789c194bb17d53ad5b684d3178d59a7ac59f4a395186a05
-
C:\Users\Admin\AppData\Roaming\GMT+10Filesize
27B
MD5715dc3fcec7a4b845347b628caf46c84
SHA11b194cdd0a0dc5560680c33f19fc2e7c09523cd1
SHA2563144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08
SHA51272ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662
-
C:\Users\Admin\AppData\Roaming\LowlandJade.9Filesize
1KB
MD5ff4bf91598146d03cd1509a5a8e573eb
SHA11fb7cc8826cb01ab125a8ded4e81362c9f00c39b
SHA25614f3c22b4eb2a917f7d88595625ce17dca8028d7e1ab59e887ff8de649f9187b
SHA51242e8f92f3db305ce3dd8541fdd98390af80290edd333652bd4624f7d0bbb69a7848d17749cfa07acdc8e86be546531a133d7b497b1b0d1304eb15f0f1d6cb649
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\setx.lnkFilesize
1KB
MD51a7ce1e5d53c71f2dff0663cfee60308
SHA163ed9182e6b31095f00f361d8d4773434f7c2401
SHA25632f277be550b992a5e29203f9fb85e97ef8b75969e49a5bf8aa3cecb532399f4
SHA512005bbdfcf0f4756ce53aa861e4e972c63500a486ddcdadfefdb72c07d1a7a6597ecc2549d330018941fb06102b7f39d023a74663d49d161f5182ef8ab8e836ea
-
C:\Users\Admin\AppData\Roaming\Tetragon.aMAFilesize
123KB
MD546ec9c3eb69156de5003428d22081b53
SHA18a3d45a4058a2dbc8097f3f8a74e467401adc76f
SHA256b2c432adc3a20be4b3d465c695231e9756db2b26d9112d026cd9751320e3405a
SHA51240f4b3f5dde800dc00b4d9ce60af94c67f48d56cbeea30ff6177b630c744d15488f7bb9ed1ccef3584a6763f57232400a098b89db1cfe02f57d5d735d64f515a
-
C:\Users\Admin\AppData\Roaming\additional_tools_pc_checkup_icon.pngFilesize
3KB
MD58a60c614feba622c63eef290fbe419e8
SHA17c396293ae0754e9a676559e8ad108e48fa5eb33
SHA256ae4fb477fbd21414862451f90a19dd1f572dc8327f14cba1b8f17fb3c3cf9e7c
SHA5121c3ac3c89b2a81a4e2d8a453fac3539217a9ef1c7b7b5069607f12660bda48a9287929056eaf80744734599ebbcb9ff05c6523aa2142b67eb29b3da8c81b0b73
-
C:\Users\Admin\AppData\Roaming\additional_tools_pc_checkup_icon.pngFilesize
3KB
MD52f5da6ef0e4770691fd130dfb87448db
SHA101590c3ab8cccf149d4733c67224bbff86877150
SHA256e280acf94ea4effc559485f8a1b6a879e04cf1f5d7c2b7388a132dddf22a8afd
SHA5129aa0e3783dd2439db06abed8a1604a8fe24cd52a9d62d9feeba0cd9e1f4a25f1c7e7c23a417b650fa0b90e4ee55f1ab108d17a3d6d4a4fc35e0eb460a4285c2b
-
C:\Users\Admin\AppData\Roaming\admon.graphics.path.xmlFilesize
1KB
MD571f6c3f678dcff31f094c2064f4248f3
SHA15f12a05ccbc96ec8981ae4485b0add68c052575d
SHA256fbbc759260f66fe9e4a60f3afde3fea06250a0fe56ff02b050fd1b4cba8c1b76
SHA51299dc7d864898cb4ec9a5fa7fcf1ecb7dff571e826b366a3454e87eb63da165e19fcac0455f407a49d6feeee634ed05ebd3b3fed7fece4a87f12983b67f4d69e8
-
C:\Users\Admin\AppData\Roaming\admon.graphics.path.xmlFilesize
1KB
MD5294a7c5aa0c512d7100f743d02c5ae0e
SHA1e4bc220a40448cc5cf62de150f83fedbcceccd9d
SHA256f8b5fd179798e0240174dba2b5ae4c3f090e1758d6306479f596c497e29052e8
SHA512eab5e0e646f8c5fbe7d640a6d51286cc272d421069674a2c3ebfd89017b97be7a756006167e5bf2fc3253b5d710ea06d1db955c74ae43c1bc6501a440db68635
-
C:\Users\Admin\AppData\Roaming\arrow.gifFilesize
524B
MD503f9ce60b93cf5b50cf5e69e60f1396d
SHA13b410af32f58fcd7f1692e8e47cafc594a77fd7f
SHA256eb26e944c3fb23e9f0463201da776e0937a287e4b5487fd8a87061b1bce9bb3c
SHA512faa01c9e10f28844ad0d6e2809a7cfd7b5f28a430fbcee587a33df13dc186fc000b4c084d15aa103f0381f316c4eeca47a5ba55dd8ac15d1c093a62a2c7e3908
-
C:\Users\Admin\AppData\Roaming\arrow.gifFilesize
144B
MD50b31842824faacd1751abbb01ddf5fa9
SHA15674b77233b89be37cdcc2f869072f453c485534
SHA2566cd839340040110df50a75eb6078718895a178b09769daf36e70978ec6ce4c73
SHA512cc65c25adbc41813461b15716558ebef11faadbefa82b2afd16b610e54f3b978f8e4736cb7be495aaa8eec7aea295b983dec888fb1138101480d1cd816ca0d36
-
C:\Users\Admin\AppData\Roaming\aspnet.configFilesize
1KB
MD5416dfa4233efdca75d25c79ae2bb7d59
SHA18a3bd385f4a83b062440547ce2873354e9a3140a
SHA256ac8465eee799e2061a7ea472fbeb16efc5891ca2702a4229aafecd9fe190d8d6
SHA512c638e637554dfbdc572e719069e573d5c17c371b82b24d5e452653074c6859687f5081397e0a0c587234e54191fdc4f7e11579f42fe96e73337b50de082ec2d1
-
C:\Users\Admin\AppData\Roaming\aspnet.configFilesize
1KB
MD5494066d0a081130639ae0ad93870eee8
SHA11ae55a49d67c50991c91a7bee074f422300d0d07
SHA2563145ba33cbfd51fb664f59e5ff413b9eccfd06c25a94c6edd3ce94edfbd1a96b
SHA512abab23e585bcf8f04fa0d5caa6fc614e93a492f12dc72354b00eb75f83209a1af601aaca6ab50c88cf9464354a37eadb47f2a27dfb64c64fcad5335d4a1532f7
-
C:\Users\Admin\AppData\Roaming\bridgehead.in.toc.xmlFilesize
1KB
MD521a994cd4f3fc0d7bbfe24006f726487
SHA12b02136327614bfc0c09c4d6b0e9cc97ceed48b3
SHA256add1fad1f46005038aab6ab829e4381f7b91e2f2f0f073ff0299a433f32ec376
SHA51260dc5044ec4d1977b49ea27435c85acbdedd03be239cbb090571eab37653a0989850a690166adaf11cdb14ecd86bddb0efc808a5f368138bda00f01ef7689992
-
C:\Users\Admin\AppData\Roaming\bridgehead.in.toc.xmlFilesize
1004B
MD5c1cf25885988504b0f6f90f1cb545382
SHA15e1f1c88ab034e14dd6f3aeb9da857f5815b4c6e
SHA2567808de9b4c36f737a88e309454101d3655597393323cafcf87d42e4411baa7b0
SHA5127adf12507347a9dbc84c93bc38a14c3dd42ba1e2c2f0f937b0915066d437288103b831b33f5dd99ea252a9f2a0a1e6eaf6289cccb04090b8a20ae00cd652660a
-
C:\Users\Admin\AppData\Roaming\buildMenu.jsxFilesize
1KB
MD5ec19d87bf31be0f9022d069803f67073
SHA1fd8fbc60713955a4a895904da7970f13f815acd7
SHA256e7b4fea1f0f74e66664301e1a34e4a6017fcb04aa6d249a38b901f8dd8fb3732
SHA512df5bc4aefaa26ef5d47d2902c494242d1167cdbbb34e661894af0ca0b76192e00c27bdeb7d2d5dab01b3452e109c11824ae8715a0c5113dbef124829e9574b3d
-
C:\Users\Admin\AppData\Roaming\directories.pngFilesize
1KB
MD58b95a0090d39a3b8a9a04c4a152637bb
SHA162dbb10eff701f4946ff4a9e498f24ce3b84a581
SHA25626b5ec85f2a654507111646ee18da725c22cb5df4b7dec6cfb6595bdc024d579
SHA5129170086ee8e450513fbccffb5d342bd0b92194deed6a8fccfdcc5f9f3edef6aa546f2e4d213fb3c6b0480edc0b5d81f8529e7bb92bca6f0231d71016230750be
-
C:\Users\Admin\AppData\Roaming\directories.pngFilesize
1KB
MD5b8431ad28846eedb63a0839d378a0367
SHA1908301e17f7f34e0b452e7cdbced92c1278307a4
SHA256b981d068c80d4b1a60d9c010516aeffb43b8a2afaaa0731bab7665ffcd5cd208
SHA512d4803aee4c3dc8b041565cc2b3050303d4d27815acb547219947a5672862015e91b4ae15c663f2d62ee2c73fbf7660cb1f72cad5e9e52b4de26bf71fd3f4494f
-
C:\Users\Admin\AppData\Roaming\docbook-xsl-updateFilesize
1KB
MD5d485a5cd6ca8feeebc079fcc6e914fc2
SHA155994d62a8a6c6ea39f1e9c5792fa1343839f2e8
SHA2566785bc061d585d645cd76d14828928133433cdb329ccc694541f8321f424460a
SHA512498eec9a93437c580d8f9f92c575330554c9e48a47af4015d32cd6fb03aebb863b1bf084df7a237feea59d477b6a835d59c43ceec07d4d8d048053282de365dc
-
C:\Users\Admin\AppData\Roaming\f37.pngFilesize
1KB
MD5c652c652b28d3a6fcf2ded441edbf8eb
SHA197dc375b2c78c2b1ad46e8346476a200ae119a1b
SHA256b5d7a8919d7887994ca7cb3dfb3877d584d73505d889f266616b632b8ffc931a
SHA512ae962d919803441fb239ad9adedf9f24697c91e925d1de55fbb961461d718f763d9be1faa343681e040ad433cc6c5354477ec762f423ef13e3e5357822101f75
-
C:\Users\Admin\AppData\Roaming\f37.pngFilesize
1KB
MD53cefff53c1064680594a5f98e65849a7
SHA1c681f94cb3dd872f02a274365ac21d81afb86ab3
SHA2561691375f12c985b72d6c2fb6596972eaf3efdfc86fb655d308d96c38f64a6f06
SHA5126a1e07af5f5d20cb7ebe9df97b67b4f98884c5300985876e8fca416959f324ad0d323bf3e94e858dba795853ec643f88da0bcb27c51595ee4e08f0989f3de1c4
-
C:\Users\Admin\AppData\Roaming\footnote.mark.properties.xmlFilesize
1KB
MD5cbbcd7df4ad4679cdae899d3cfc6bb32
SHA122cf97f4d1a1edd0e4f27bf712f63feacfd205da
SHA256a39669f516b56f4d803f696423899d358bcc8a90aee9dbc787be48acae55282c
SHA512e5e9da52c8eb943a7705ad0111599210a924ff18fe68c74742e5e487a51c6a1b1890a165a281c99c1a32626d712ef224ffa9181a0c2866d3f2e020341364129d
-
C:\Users\Admin\AppData\Roaming\footnote.mark.properties.xmlFilesize
1KB
MD58f442e9bf42dbf4a7997d52ed3e37492
SHA10160d624330596c6303c590c223aaf644d161e2c
SHA256c117b2b0b0667cac6ff8e7266c17561c2d9ac9f021fb040ef71df7878f3ed24a
SHA512a744960b586e37e8bd33ba613f1e1a384529634bfc4c1aa58068dd9b4ee8bc149e7048e1e3263eee526af6d7ac43ac89dceac2d7ad0a7d4818dfbd6dbb22cd58
-
C:\Users\Admin\AppData\Roaming\generate.index.xmlFilesize
1KB
MD5fec6c7b575773a511f51596bf6854587
SHA14e320e01a19da6dba6d2c30c936d138a16a6560c
SHA2569f36ad3e16ff2e222d3eb99376529b720a100199642eb52639fd656b600df46b
SHA512409083df462f9135609dc78ae1318492ddbfeb4497c95d4a31012dea553b2fe29d56fd5ed0c6ff9ed5ca965e87223222c70f0e83ec3ba2f9c484ac933c7308f4
-
C:\Users\Admin\AppData\Roaming\generate.index.xmlFilesize
847B
MD5dac670dc3250ec2a38be195646386c89
SHA11373182d015c82b47d4bbc5dda88da5fbc1bca3a
SHA2568c4591b205a866468afe6779ac4af70e54e37a105361671fd448895a06c351a7
SHA5120b08bddc4b4723f39650acd68ad14b75783d739e473f64e9a692142b2ecb2577e21f0b41376d5d0de3b6e30744c5b390d9d4d8b74ad05c3060bea4ca393b1d18
-
C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xmlFilesize
1KB
MD5a057463e49cc7a282b9de9bd1f98c940
SHA117f203dd324b4dc61fc85a2848b93f0941946d4e
SHA256ca43ac52dec0ed1083c006678f4e1e0b7e6c2882e8bcc66e76bc776b7340bfe8
SHA512b18514215cc196d457629ee48c08b05078aa7b61dcd26a540ef9aa107e4231a27a80de11e068a03611c85966fcb511bf22f0ab40fc8e461cb817a1caba9c0734
-
C:\Users\Admin\AppData\Roaming\glossterm.auto.link.xmlFilesize
1KB
MD5c5513e9d05cc5679171549eb5e714373
SHA13b3e5a7b02b431e9f92680acbc71cde462026bd5
SHA256932fa94a268cc14bc363491dede4a477dd3fbb9b758c6aa0a9f19f445b9719dc
SHA5125e8474953dd890bb42fbf5c29b281d223549f65566ca2eede2207cbdd462c774e4342ca99cdc35e03de2660e0a0370ca632e018f324f31c19606ed32584bda82
-
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_kr.csvFilesize
315B
MD522f5329bdaa9ce6afdc94416fdb0a693
SHA123e281b1a54e69a441a26a093613c2135c510582
SHA256c1ed5d3f8cd2410d52977c569131b7fdfdfb5c286718154c0540ab652cdab004
SHA51297f61643b6ec17d8619880f54b1b2e62e073e9538ee89f00b72ec6de7d0dc1e6ca9706b10978ba8f72ecd0ddb42c11384c52238dfa9c2adef571cb14834dc9a4
-
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_kr.csvFilesize
315B
MD5e7b835efd565a6bd02237591a64416fa
SHA17ea8027ff98e318758a48907a1f69b1b35f63c72
SHA25667ca7823ea8b02127ea8e4c198585e8442530e7e803b2832666257c4050ad605
SHA512911bd83c92eaa36464bcb00c45102bc1b5eacfc83cd8d7ccebf920874fd5156a975d1c0bcfe0d96ca0461ddb287f43c2c8204722d93c6f0ea8663d8f75e14f81
-
C:\Users\Admin\AppData\Roaming\{7F378566-32CC-194C-63ED-AAB4EF64314A}\setx.exeFilesize
191KB
MD53874199af9bef338ffc8dcd9a9d2dbf0
SHA114f4aa746d391393bd2fdd112a430266bf20a8f2
SHA256a80f30ee99a8d0d12abe3c6b631f8c8870d4f4f5ac776f1febb7cca78d7af964
SHA51238c177e59a2d36ed2e25e61930275e474c4cc628485581393dee8202bccdd3576149416fa10b74c9b7ac192c689f08db9ee3553a8e90f06c7ac691c5c2a34fec
-
memory/2472-34-0x0000000002170000-0x000000000217A000-memory.dmpFilesize
40KB
-
memory/2784-112-0x00000000021D0000-0x00000000021DA000-memory.dmpFilesize
40KB
-
memory/3080-116-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-449-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-117-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-118-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-131-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-130-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-128-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-127-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-125-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-124-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-504-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-123-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-505-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-502-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-488-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-122-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-443-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-120-0x0000000003C30000-0x0000000003C31000-memory.dmpFilesize
4KB
-
memory/3080-461-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-476-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-473-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-471-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-467-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-464-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-458-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-455-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-452-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-440-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-446-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-482-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-485-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3080-479-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4224-36-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4224-38-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4224-40-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4224-52-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB