Analysis Overview
SHA256
a7f1cc11dfc813095b610889aa2a5eb4a1c0b6aeeea7a7fdd4a7ce05114d999d
Threat Level: Known bad
The file 05ea38e058ae5c2025283414974d0a9c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-23 09:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 09:33
Reported
2024-06-23 09:36
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\dmlus.cc3 | C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k regsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | udp |
Files
\??\c:\windows\SysWOW64\dmlus.cc3
| MD5 | 32d594de3f10811c6843dad0732f243c |
| SHA1 | e0113828ef448b641ad0fe5ff783d123ccb67d44 |
| SHA256 | 5904139598f59032fa25ab7e1898159cf6650c321bbf646aa3771ed4d26a8308 |
| SHA512 | 5879f2a46565a38d5103eb63fe890733c752bfdd5de44eb796db0dde4b63370af48425d092a3ba903215970f148474a422e7bbb7080867bcf793ff76faa4f61a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 09:33
Reported
2024-06-23 09:36
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wutmk.cc3 | C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe | N/A |
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05ea38e058ae5c2025283414974d0a9c_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3924 -ip 3924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 572
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 856 -ip 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1208 -ip 1208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3432 -ip 3432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3088 -ip 3088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 596
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2132 -ip 2132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1560 -ip 1560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 596
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2204 -ip 2204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2612 -ip 2612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 588
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1716 -ip 1716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2356 -ip 2356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4792 -ip 4792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3668 -ip 3668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 224 -ip 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 440 -ip 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2648 -ip 2648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4848 -ip 4848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4340 -ip 4340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4856 -ip 4856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5024 -ip 5024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5052 -ip 5052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1960 -ip 1960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 596
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2732 -ip 2732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4524 -ip 4524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1948 -ip 1948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 596
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3796 -ip 3796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1916 -ip 1916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3588 -ip 3588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4596 -ip 4596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2760 -ip 2760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 592
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2560 -ip 2560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 460
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 198acbb292bfcaebf5c27d9d8f15ab6d |
| SHA1 | 489017e5e8dbef34cd8fba9afe37923b696b781a |
| SHA256 | bd842ab5554901e4adb572efa48195cbf02120ec24037f430ca84ea70efcf7e6 |
| SHA512 | 5816d4606e8729352c60d91e637bc057242738a9c9c017b6df8e3ccb304f2e1c2665ddc3be9b30cb89c965ab5980e0fa9753a86035c61730c6f0d6a820827d9b |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | eef2881fa9fee3a13b5a127dedc624d0 |
| SHA1 | 0fb4622e8d71194817071b828b93a1adde413284 |
| SHA256 | 065d6a24ad604ce4295ad4df897b40668c0e6e3ca6d6713c3f0a282ee6af1612 |
| SHA512 | 86f1e7c0bebf14dde75b40a7c036bc4f3dcfc8bc7b9d0d0177d8c857ce1e7d0a8a55908a95869e994d314528a30d395d05def29289069f0c911d2eab9833b5a6 |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 18bdb7f5af04450e434f51c70bcb7ae3 |
| SHA1 | 4df4c38f43a1b01d66d93b8c1e97d0d444fc8d8f |
| SHA256 | 95ae9dfecfc75cebf24208edc375bd0b1f6993ff2c21b8f3d4e3497cc12e8990 |
| SHA512 | 6cc267a22c9f7d43c8d8f9ca298fb97def8bd28efb0c166e552da14d8633d50b06373085f6c8aee50b87f000522af1da5c71ef56d73beefe862c0e0565ec408c |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 11213f15582a73ec9ae22fdb9f0cc042 |
| SHA1 | e8037f2c05fd0c20162caac8932141433e92a43c |
| SHA256 | 13c1e5f580075ac20b47b1171b5ecf647b94dff334534c323bf0b17fc135a3e3 |
| SHA512 | 5a77da706a504823bba94a5108facde077a60fe36e8f940fccd0ea8b3b10ed2d0295525465d212e1f5ecc0a3c821c4e0667ee86a3a8325d059d92e284f3bcd17 |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 7dc9d9924f9052d02a1cbbc65c71468d |
| SHA1 | 4aaa41d95ecc70de1420d569414909f0bfa6b48b |
| SHA256 | bcfe2e49af1858a35aa3b436a1c04d0b290847af33e91c10e2a3e8ae4fe9328e |
| SHA512 | c2e25b6b0219db8c74df5fe884947010ab32792bd58bfca3db4f4106ac308f6bcc76db15c6e6911d74d42a79672c87e75984567f3c6ebceb44eca824c221981b |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 7f8623abcac2f4d5d21e4a2d6a29815f |
| SHA1 | badc531b82bd1219544540e4faf71eafae2050b1 |
| SHA256 | 3ad9200384f62423565d546eb0ad18f2a60ebd62295e1e6f0d6a6318f6a288e0 |
| SHA512 | 5bd019636828b9d96ee65eed88bb227d6798d8308f3718e9c7044d29d6b8eb31cce38ada587d9e155adb745a94a5c47adc06b08aad1c7625059fd2d83f800013 |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 88dadd2cf9c05cf48299b5de05662fc1 |
| SHA1 | 5884adc37464a53a71ad1332a17925c42f4fbe50 |
| SHA256 | ef8dccdd8849ebd04c4048acc0bbc3a60e23a5bdbda0e5f813f624eb1140a44d |
| SHA512 | 14496581eefee0a0813f18fe5f03cacdae44caf42d0f16d3145f84bfd0f27ae65ef91cfb06bbc07ae14931f1dcc846a6fe439d9e71f637d5eff121bd4aca11b5 |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 53d29e5d09d8e7308975ed1e2361bdc6 |
| SHA1 | b7e014503f5290ccb1a1f6bf708037b17cbc78ef |
| SHA256 | 40ef96c6623f9d33658286b4cd5b01d16e63a54074c329479afae71862d6329b |
| SHA512 | a0c6dff57da6ee2e64f1374f10e000be79bb37c54434eaa43c28f02c897423ff56c88fa444297a2306d4f040528b459bc2f61a70cb1f79f0d25e3570af2fcd5d |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 2e5556f91a801efa8e317b7a8218b6d6 |
| SHA1 | b7ff15d8d0b6bdf386822985dfa0791545ba64e6 |
| SHA256 | 9fc4b28b298611f3f82d067d69cb403a4f6bf4a6c3e87bafab986f86a148cfe5 |
| SHA512 | 7f03bdd3b726f4b844f7ea3a869a6d936b175be4ab3f8178f769965f7bc764399f05ff2c101e66dacd183ed285099438739b41ec6b22e91fd1363958b0a0fcfa |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 851efeed5ad70f7f10a3265b464cce9d |
| SHA1 | 006a3c9c01aabd6cfb1094c81091b71ddcd09859 |
| SHA256 | 436c11dbe5d8e33f6b55b76de57d063a19aab4f4429a863aedfd232fde871761 |
| SHA512 | 1e4870a48f8bde2edb5b1f5284d551bee1680c98686424a35329c4f215afbb8625cfd159721be5ab4aa8423676e1b9eb8a39c019ede8caf9a0cbbde4710de866 |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 4249110cfb31f59d2a12da7f1ee961ed |
| SHA1 | e56a178e4cd54958b8feea200cf073c2aeb93434 |
| SHA256 | e93a7a88b7e9be088db2297f29c282168b41cfab732b95d0d92f8fcfb1029da4 |
| SHA512 | d245bd9701653a78445d38f4f40fdac64fcfd58aa16e481406bdac5b73d81d3f3a9296318aa0d34b0fe62fc933495489f2e570d49f3a51d0a639e4eaa57edb78 |
\??\c:\windows\SysWOW64\wutmk.cc3
| MD5 | 28d4352a65673f8e00d275848680ab90 |
| SHA1 | ec6027c3895b0e4daf7b26a46a7faaf3df6a6170 |
| SHA256 | 6a7de5fb63f745787530b1aab0ba11a72ce56cb6255c08a96239a2b2da8b235b |
| SHA512 | 1e45cbe07b7766155699b6ea4a00417f05ce001c9992cf4e67407892362898a0577cba0bdab5cfbc08a40b01ba6570da7bbad0c53fbcf734ef6c2bd3c40eb5e3 |
C:\Windows\SysWOW64\wutmk.cc3
| MD5 | 1ab9566efd86a17418354fe9af4dcc1b |
| SHA1 | 8152bb792b6f1cd6527bf812e9326d74270fee45 |
| SHA256 | 6a2eabf9bf8da9727df5bfb77c90f0fe9218e497717b2836891b89f03dae81d0 |
| SHA512 | d3f91f6e0b1ce64511fffee6fb0dd63ec4e1ec94da47c8fad8c714c7335e5f19cf5f7c51d4522f07729cf1635a4c57f9c37f81093093edf9edaa21eaae4fb724 |
C:\Windows\SysWOW64\wutmk.cc3
| MD5 | 396b8bd7048be25bce3444eede6debfc |
| SHA1 | deb253fe1d98681e42f4208a6a9b55aa22523be8 |
| SHA256 | e0e7a6e19a5888f296b64499d4dad8cc5c613cabc297724e9b1ea8db9514aec9 |
| SHA512 | 733393f76521c839d3263f44ad9b4de830e3c78421d26f4526862299de67d1a49ba3424b6a42edf2d061961338d60c015447d0e23ed0917c9108d3c6b890ff39 |
C:\Windows\SysWOW64\wutmk.cc3
| MD5 | bb5fc8e0d0639192ee8157ea4477d8ee |
| SHA1 | 902a80ccfe07bfb95bd55e7d6f00df995384ee1c |
| SHA256 | 6df42f8b9aa3f138c14920fc5506c9d726054ce7ccb6d44f2bdf1f17cc24c3da |
| SHA512 | a249b758a2101d63e2a6ab2ba436dc51a6f077ea9945ab599208d48a85ba05ed53c8e10c44011a8cada7cc26a7a80786dcd8406d61321ed9ce9724a0eacd8cec |