Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 17:47
Static task
static1
Behavioral task
behavioral1
Sample
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe
-
Size
221KB
-
MD5
474f76977fa109dd9a1a8a7e51c49659
-
SHA1
aed91b01397c5a067201e0eed886f7fe2acdc02e
-
SHA256
1c77bceb256e2c7e570830558b2084008f961483981d352b874af0e6e2ee3f10
-
SHA512
997f426de2c1942c7eb2efee57946eaa50f0f67e3cf1603b9e9ebf4bf9e09008172c74ca30b34943c25e0dc64815749f474ececc4ac84d5ef2217dd4efb0a1e8
-
SSDEEP
6144:zwHysaOmXtsnUpyzaAV+vCQ+xTGth9/oG:oaOmXanUpSV+vCQ+xTob/z
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exewecutil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\wecutil.exe\"" 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\wecutil.exe\"" wecutil.exe -
Contacts a large (527) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops startup file 1 IoCs
Processes:
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wecutil.lnk 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
Processes:
wecutil.exewecutil.exewecutil.exewecutil.exepid process 1572 wecutil.exe 1392 wecutil.exe 488 wecutil.exe 3364 wecutil.exe -
Loads dropped DLL 9 IoCs
Processes:
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exewecutil.exewecutil.exepid process 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 1572 wecutil.exe 1572 wecutil.exe 1572 wecutil.exe 488 wecutil.exe 488 wecutil.exe 488 wecutil.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exewecutil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wecutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\wecutil.exe\"" 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wecutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\wecutil.exe\"" 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wecutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\wecutil.exe\"" wecutil.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wecutil = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\wecutil.exe\"" wecutil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 ipinfo.io -
Drops file in System32 directory 1 IoCs
Processes:
wecutil.exedescription ioc process File opened for modification C:\Windows\SysWOW64\choosers wecutil.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exewecutil.exewecutil.exedescription pid process target process PID 4248 set thread context of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 1572 set thread context of 1392 1572 wecutil.exe wecutil.exe PID 488 set thread context of 3364 488 wecutil.exe wecutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe nsis_installer_2 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5000 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exewecutil.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\wecutil.exe\"" 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop wecutil.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\wecutil.exe\"" wecutil.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exetaskkill.exewecutil.exewecutil.exedescription pid process Token: SeDebugPrivilege 1360 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe Token: SeDebugPrivilege 5000 taskkill.exe Token: SeDebugPrivilege 1392 wecutil.exe Token: SeDebugPrivilege 3364 wecutil.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.execmd.exewecutil.exewecutil.exedescription pid process target process PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 4248 wrote to memory of 1360 4248 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe PID 1360 wrote to memory of 1572 1360 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe wecutil.exe PID 1360 wrote to memory of 1572 1360 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe wecutil.exe PID 1360 wrote to memory of 1572 1360 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe wecutil.exe PID 1360 wrote to memory of 1760 1360 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe cmd.exe PID 1360 wrote to memory of 1760 1360 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe cmd.exe PID 1360 wrote to memory of 1760 1360 474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 5000 1760 cmd.exe taskkill.exe PID 1760 wrote to memory of 5000 1760 cmd.exe taskkill.exe PID 1760 wrote to memory of 5000 1760 cmd.exe taskkill.exe PID 1760 wrote to memory of 1868 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 1868 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 1868 1760 cmd.exe PING.EXE PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 1572 wrote to memory of 1392 1572 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe PID 488 wrote to memory of 3364 488 wecutil.exe wecutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe"C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe"C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe"4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exeC:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exeC:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsv3862.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
C:\Users\Admin\AppData\Roaming\403.htmFilesize
1KB
MD5394a5c0cee0392d04fad577c6766f06b
SHA116197acb33ddc2e8c5d1f7fc04aaa0cf1f26b95f
SHA256ed1e1c39e647d0aa8b950c98ff6ba2e7d551927263e45d4ba86b8747ce5149ee
SHA5129027e504499d057097c2b149ae3743519178cb570c48d4f0dd5cc735554199ad2525915af3b8e4ff1bafc471ebe3cefcd4760fc6c2c5a9e8f7bfde5805a89397
-
C:\Users\Admin\AppData\Roaming\9.gifFilesize
923B
MD589ef56055c93539c44f2a59def331ff8
SHA168de36276c6482f4a596b9881be44625fce0996e
SHA256e3274dae4562db681c6e7ef3f4f52dbbd86c25d8810d919d7b7a89bd57af53f8
SHA5126a6c36641ab25b6f39a8eb33f3ea65af7afaa4c24005aeed27eaba69aab105dd9a41c11a130af5269874a8aded230273ab681cd124513ba4664ad364a0e27e90
-
C:\Users\Admin\AppData\Roaming\Adobe-CNS1-6Filesize
4KB
MD5632dcddcbedcb4c38a4cffabd99dedf3
SHA1c033e731c067d0732961f656d9bee65f46da9594
SHA25670942bcd54b48fcc2ebdfd19da8031c9c5b4c710f5d2543f12b3f0fe0f4d2592
SHA512ea04f016d74c3da10d2aaefc400f99a3b76d0ea4591995d8eb418a32a955552e2ed13c365fecec65ab52938dd99982dc794df89d200fba231b85d2ed2269cd2e
-
C:\Users\Admin\AppData\Roaming\Adobe-Korea1-0Filesize
3KB
MD541a6fcc09060a5ac59c9b48e4cffdf66
SHA179a83a69c8d994f27fb44f315c755839d997ad1d
SHA256a3cc88d1aec75afa3677e069ffe35d24498e587f7eb3730d9976d16ef04f044d
SHA5129d15801891b745eaf62411015db16ea13dc20294c97de71a877f91ae62161a7cf530cf10209d89f31d66f67ba2d4142f02b00f006de56a7fb16b5d9d1efba369
-
C:\Users\Admin\AppData\Roaming\Bl soft CG9 CG2.ADOFilesize
524B
MD54965e28a04e6047d390e8798dce77eb6
SHA18abe2196dfcb8fcf664c036b6f55acad0a638a6f
SHA256425f1c29b829c23c1728cabe2bedb7b9d00298749c1530c932ac1f96d93c07fe
SHA512c9b12151f06aee6b86a538f1057c1d201bb75db1094b93a4e3d4a94dbd292b2dda7ffe74b99d2c60b2eb994f04c6e5137de7e8ebb3edd65661bf5e1278056c8f
-
C:\Users\Admin\AppData\Roaming\DamascusFilesize
1KB
MD593657662177fdc9183a0fd632790c0ae
SHA15586f64b641545aa2610b3bcd5df7750a17955de
SHA256a353644ae75ca0a454a56caa9a442e361f1097ff429d035fc7ba73e87650e21e
SHA512c0a0deb8e5773c783e3656084fb751847b71b2b1e6b2bf489f31f97100e4c629c0266c10d3f1a75c6811a2a195308d564d7216be8bce01b8ec5dda3a5096eb93
-
C:\Users\Admin\AppData\Roaming\Darker.alvFilesize
630B
MD57f2d29a5e3ded93d9a3bdadf45ccec15
SHA12e03d94db3ab943514a3e61e79fb7fa22f9e1155
SHA2564f56ea00303af5b79de9a12422a764a6d7942c369a0ecf5bb4dc945a7f545ec7
SHA5122a07cb08608f3fc15f00cc4a151cf2eb757e69a35f8f9e5a9f03e60e28b1122a4df5f3f891fb6a48c060d181b1457e360a29fa569fe7fda213c71ae12a7ed5a4
-
C:\Users\Admin\AppData\Roaming\DumpLog.dllFilesize
26KB
MD5a7071875105cb81943f72ecb7c3d10f1
SHA17353fbdda3fed9bb8dbec6df39547bdac910c185
SHA2568eecdcb35325eaad230f69747759a7eac9642be32be799db28cbaf4e076769b5
SHA51231a24168d9a37cbff1ee93d2d69e6d50545625e5d2751cd68286aad099894402cbdea1fe2995adc2e721e97dceed213c1886332e2130597b409ac2350e5edac2
-
C:\Users\Admin\AppData\Roaming\Escudo.qBCFilesize
125KB
MD560eddd78af5fb9e8236f86ee672eb97d
SHA1f76a5f7400e193f53683553e6562262521a32a74
SHA256354b3fa35d71922a72c3d9b55a53099948d135bb7d49366d106e9a938786ffc6
SHA51222ebbe27e3e524792478a9f3e63c42d9b391a604bbcf870dbe3ffc195e693fd47a2830e3ee995d0d561d59c67ecfcfea3f17d5497c063ffed838d9968eb38377
-
C:\Users\Admin\AppData\Roaming\GMT+7Filesize
27B
MD511f8e73ad57571383afa5eaf6bc0456a
SHA165a736dddd8e9a3f1dd6fbe999b188910b5f7931
SHA2560e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e
SHA512578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wecutil.lnkFilesize
1KB
MD5e4d7131a9282e7072604a17b2ca11190
SHA12fd74c6244b106074a395bfadcb1f9f3e3deaaec
SHA25632990b0f3b447ac9bb304f66fca5cffb010afee848a2a4dd6235f53e4ad0b0f6
SHA5126ad2c0b36311238658d589c244b7c231b98f6ed0795a3bc41e58de8d63687ce2bfb56929a28f4775910177b19fb9327e649675e1ab00c6eac9592ac95f8cdb51
-
C:\Users\Admin\AppData\Roaming\SildMajorgeneralship.UMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\appcmd.xmlFilesize
3KB
MD5a1abf60add7c54a1a444e83b523f8095
SHA1ac7571cde28c55642f44f35e25fb66597233636f
SHA25624c63a00a384d26a929c3285e41822631a846c5c69627360dec267b35c55410a
SHA512a8b35138bc9495ad7ef64dc0c4bbe1fda1f4bf34530c77080be9f54ccfadac96b3a45eb018dc3ef30bdbf6013ec8b0ffd18475516ea680a6308008806d4374d7
-
C:\Users\Admin\AppData\Roaming\arbortext.extensions.xmlFilesize
1KB
MD5b7a3d5891858ec987692f843d0da635e
SHA1144dfcf7282b499e4b07b3b4ae10bbb5dc23e08c
SHA256a021af7e7c49f2c338f12e715d4e2f853f4f53327dadb73b11d089fb43bf6a85
SHA512c7bb9f9f0cec125ae61617bc2b6ce1b449b736d7bf5d776605d830a4a2e2e9b7957de4b1d146faa403e169052eb54af00f551e392bdc286c190e62df3df3f7f6
-
C:\Users\Admin\AppData\Roaming\arrow_right_disabled.pngFilesize
1KB
MD5399856c91725d77cf54be89fb5736f42
SHA1b368497d9c460757b466d08cd2487aea335e52f2
SHA2565000bb746100b29ac857d20248f373d0bfc2bad66c88043e27a68dd0dd7313c9
SHA5123169bf57a46a6900c05c67a3bdd86cbc282fe9a64b5adc784d1097c4d6527ba06eb0ebc0902b953c1664a0a61157d7e34494debabec7dfcc9a2b42e73d419848
-
C:\Users\Admin\AppData\Roaming\axf.extensions.xmlFilesize
1KB
MD5af841ee6aa03ff9847d5bdd00473ff90
SHA12ef974619172b802252ffac7576a3762f6236dd1
SHA2567a28d8ac66543a242f64890404d706d649224b6b43fd4f8f0c20455052b7dc41
SHA512a48523b843a06fe158dc4ca3d9c5ba2346261d33f0515fb2018bec52cb4315f06981d5cb658dad5f4d83c2af49cc36f6c55cb746386b0bfbf8863c0c3b70c9ac
-
C:\Users\Admin\AppData\Roaming\battery.pngFilesize
4KB
MD51ed001d1427fa0a32e4ab6cb81d01ce3
SHA11a933f36ca48c52ff8085f272c7d66dd249154a5
SHA256e4ead39126138a19651b074531a4dd312a86d0e3addd1ac8c943814b106453b0
SHA5128d279f3dd7b0b5d778b4852e0b5fa3c5bf688a487d581c303813de6bf8edf0395de1559d3cd3a24f7782e491ef1108078bcdbb0c43c837c442b098cc106721b2
-
C:\Users\Admin\AppData\Roaming\data_transfer.pngFilesize
1KB
MD56dcfd632eb0a8124ea05a92209e73bab
SHA1094612b281c4d378ec3def211d60a259bcb41fca
SHA2560b7e998b98af82bbf0e9f8916aa5e1614a3e42d7a79cd2877c7c72690a42272e
SHA512581f7f73592c3cf0999a76a2400e0d385330d0594f12c1fe7e37cdef492fd2eafafaec2b6310000efac34c507a1bc660a7e9d38158c888e3869d19ca3f74acab
-
C:\Users\Admin\AppData\Roaming\en-US.pakFilesize
4KB
MD5375253e9ff91d59171322445c14873ab
SHA16c2dd2a90b40d7d35f0baa8f762761deae6903ff
SHA2562f5e83acc8bbb76507342f6e7d22728113519e86cc645170035148dc36074951
SHA512ac0762dc5b49da6c26728af8809527dfc1576771728d09426b9459f0cf20dd5982c2054fe1b999c2fbf9e0139c340aa56c2e7867a873620c2c5a839e0a5280f6
-
C:\Users\Admin\AppData\Roaming\external-link.gifFilesize
71B
MD5bae65d05d67c86148948fdf7a773a207
SHA137313e079df4ee9020c2ff14eedee17b65ac6880
SHA25667ce0e5ca8696537cb2c4fce9e8e945c6134e36945c719c879b9b7288bcd5d96
SHA51209e4b5d0328b02adeca1855c37235007e6d711f835fcccddcc2ed2b0dc5de6cd32a3ac07c97140e376c1e71a362fd59dafe41db697187ecd9bf636d8f8655e46
-
C:\Users\Admin\AppData\Roaming\flash.icon1.icoFilesize
2KB
MD55b6d410767b3f51805b65bd53047ddff
SHA17eae072adbc3b102a3e06873f643e5e11674d936
SHA256c665dbded35fd10240134d7199cba83e69eedeb893fdffa73235e5f3ceaacaa3
SHA51245a409739c6f7ef6444d0fd80134941a20806b7248336b5bc76f757107fd0637f292b2827c0b90c26c1bc5ee4fb6658a1a1d6c2a23b55b8b8bd550a2671c04f4
-
C:\Users\Admin\AppData\Roaming\forward_disabled.pngFilesize
1KB
MD5875ff3260a35602560fa96c60aab9b09
SHA1457c51cb571ed8c2f66860b884b3897094832563
SHA256e6ca6d6e4408a85d06dec320917eaface8871796c5bc5c7974d99b8415e49e2e
SHA512aab5a58ee6147c1d2dd40722d6ca56df336d49103f08c123936a8efe2f3250a5ce1d0e90c1c54edbb82e1014213aa78b74ea3570c3c53d9a3ad36af37e42d09f
-
C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_en.csvFilesize
510B
MD572846352548853b375cd1966c5b25a3a
SHA1c51c6d5641dfcabdb6569e071c502deacda8d2d1
SHA25697f1d4f62e381f8f65d3e7d3da9f3c5d8194c73a2d30a2d08057d0d5ce30e130
SHA512b4c5a4be9a676323e3f1df1eed60761def150a91e237d830c96413770397df3138176ffb1374580b10abb1466bebc8f8aef99d0a44be0fa29ac5edce3cf9874e
-
C:\Users\Admin\AppData\Roaming\microseism.rjhFilesize
62KB
MD57be3aa61e943269fd4f504dcd95e7016
SHA18bcc960f9128d1ff1004174f4f78dd839a5a1684
SHA25692c02f210805bd497e288299ee3da1b46cff3c93da4f5f5af7f65f6e83b5429d
SHA512aa858e3f0e8aaf77b70aea820d808ca01860f0d1e27c93ad361a27830848ed64677327d12c75bd6860434f5be8e98b7f865aa40a00d3429b8831991cd2cd5b69
-
C:\Users\Admin\AppData\Roaming\variability.kpdFilesize
63KB
MD559b666941a1ca106c9d3a0bf58b7b7d4
SHA1392e93b08a658dea9e24a5ef34e5daf591c43247
SHA256b9ea6983a6eec38a0e120361ca843da7a9f52de1569b5dbab19bd4b90b4a0ab1
SHA5120bc1592ceb10c2e1b774ad357f97ef3757b86a3c1c5ecb89b35be5231330b7c0b02ab36223edcd8b06776ec5540e3183c2378d8a229263454cc53ddb3a99a1a7
-
C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exeFilesize
221KB
MD5474f76977fa109dd9a1a8a7e51c49659
SHA1aed91b01397c5a067201e0eed886f7fe2acdc02e
SHA2561c77bceb256e2c7e570830558b2084008f961483981d352b874af0e6e2ee3f10
SHA512997f426de2c1942c7eb2efee57946eaa50f0f67e3cf1603b9e9ebf4bf9e09008172c74ca30b34943c25e0dc64815749f474ececc4ac84d5ef2217dd4efb0a1e8
-
memory/488-186-0x0000000002160000-0x000000000216A000-memory.dmpFilesize
40KB
-
memory/1360-42-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1360-43-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1360-40-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1360-38-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1360-51-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1392-124-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1392-119-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1392-120-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1392-122-0x0000000003880000-0x0000000003881000-memory.dmpFilesize
4KB
-
memory/1392-118-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1392-125-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1392-128-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1572-112-0x0000000003010000-0x000000000301A000-memory.dmpFilesize
40KB
-
memory/3364-194-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3364-195-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4248-34-0x00000000022A0000-0x00000000022AA000-memory.dmpFilesize
40KB