Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe
Resource
win10v2004-20220812-en
General
-
Target
8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe
-
Size
214KB
-
MD5
3c1a4982815bb6549cd30e514e271fd6
-
SHA1
de2809b05f50c3fa5bebaaa2bee9712724ace615
-
SHA256
8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b
-
SHA512
49e05c67daa6cd295d66058d6422925876689c8d1876ec267d06fe1c0af33b485382198c7f65c04ff0d35c35f404ca97a0ff7dd49b6de57e70877c41a447ddf1
-
SSDEEP
3072:AqMK6lL0BwRYyxiV/lZ39cB9JjN/IHYzKNwz8/g3xod4ROaBG3ERWR3LV:NMtlL0byGZ39UJqH0Qg3Cd4oagU0VB
Malware Config
Extracted
danabot
23.236.181.126:443
123.253.35.251:443
66.85.173.3:443
-
embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
-
type
loader
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/2424-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 38 4216 rundll32.exe 44 4216 rundll32.exe 112 4216 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 632 D769.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ADelRCP\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\ADelRCP.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ADelRCP\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\ADelRCP.dll耀" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ADelRCP\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 4216 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4216 set thread context of 3140 4216 rundll32.exe 92 -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\DropboxStorage.api rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Stamp.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\AdobeXMP.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\A3DUtils.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\BIBUtils.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4848 632 WerFault.exe 80 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe -
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009255154a100054656d7000003a0009000400efbe0c55199992551b4a2e000000000000000000000000000000000000000000000000005fb36100540065006d007000000014000000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2724 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2424 8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe 2424 8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2724 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2424 8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found Token: SeShutdownPrivilege 2724 Process not Found Token: SeCreatePagefilePrivilege 2724 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3140 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2724 Process not Found 2724 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2724 wrote to memory of 632 2724 Process not Found 80 PID 2724 wrote to memory of 632 2724 Process not Found 80 PID 2724 wrote to memory of 632 2724 Process not Found 80 PID 632 wrote to memory of 4216 632 D769.exe 81 PID 632 wrote to memory of 4216 632 D769.exe 81 PID 632 wrote to memory of 4216 632 D769.exe 81 PID 4216 wrote to memory of 3140 4216 rundll32.exe 92 PID 4216 wrote to memory of 3140 4216 rundll32.exe 92 PID 4216 wrote to memory of 3140 4216 rundll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe"C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2424
-
C:\Users\Admin\AppData\Local\Temp\D769.exeC:\Users\Admin\AppData\Local\Temp\D769.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 202233⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3140
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 4842⤵
- Program crash
PID:4848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 632 -ip 6321⤵PID:2032
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5076
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵PID:2232
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\adelrcp.dll",Xz4hQ04=2⤵PID:3432
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD53a16cbcfa6966c0a644f09430e39efe1
SHA118190824815ae411156806f7aa52b6dbceaa24f1
SHA256298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA51261ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985
-
Filesize
2.4MB
MD53a16cbcfa6966c0a644f09430e39efe1
SHA118190824815ae411156806f7aa52b6dbceaa24f1
SHA256298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA51261ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985
-
Filesize
2.4MB
MD53a16cbcfa6966c0a644f09430e39efe1
SHA118190824815ae411156806f7aa52b6dbceaa24f1
SHA256298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA51261ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985
-
Filesize
2.4MB
MD53a16cbcfa6966c0a644f09430e39efe1
SHA118190824815ae411156806f7aa52b6dbceaa24f1
SHA256298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA51261ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985
-
Filesize
122KB
MD535acff0f35559eac959647a7501385f7
SHA128e052e01fe4e0eac3eab461385460eff7efe271
SHA2562669d714f126be033270a9f2919d6152f45c5bec970dc1ab8da09f41351234c0
SHA512f3fa4e7499e15a63d2503355705eb08d15be0a3736145c3b46cc79a4fcf7e00df871f62af769090aff7692b34d93365cf413be7b86b27a9df0ecb8f481898ed2
-
Filesize
2.3MB
MD5ca46edae2217279051a3ce83398427e5
SHA1576f39dd50f1abe5e35b8a6ea5b8eedeef26154d
SHA256f40fa45b6546a80688b10e168815bc7bd4ebd6d8d964305ba797555fc883ba82
SHA5127662a2e2fc59aebf99e482227d0c8bedb9a89208013ec3c5b6ed47789ac8b3baebe909bf7e2c3d6eda6ea9bbc80c561d9f673e907d72cd354afe0e0f7def44f4
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml
Filesize1KB
MD56c2429d1fdb4a93ebca14340b9fb8fb7
SHA1e757fc9e129850598fff1931d496fb7c7b21d4d6
SHA25652b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285
SHA512bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize913B
MD51600f66ce0d9c342eb6a49155a2f8c14
SHA1e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07
SHA2568dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27
SHA512ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00
-
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize840B
MD5424b00848f1ce9633dec58f15c3d43b5
SHA1c452da009ae3db8493131a11738975b4aadf928d
SHA25621e8f0a4fbf065d15947cff2bea6d9625b8bad7a2969061ada9c240b397aaac9
SHA51281be9ca04ef6cc6a6da58e0b79a793c1c959d1f68abff53cefc84b0f8313a88e99c480cd204d42f07a2017fe3712f7cb29bdcba334c0ad061a2bc8fad0ff26b7
-
Filesize
3KB
MD5701beb4f8c252fb3c9f5dbdc94648048
SHA1556ba20475a502b68b7992454be6c64ab355b4ec
SHA256620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67
SHA51228c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf
-
Filesize
2.4MB
MD56e10b6107066da8b83187a14c8b68b23
SHA1bfe5bb0d1fbd503226abf58fbd88e91e8f17ba05
SHA256804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
SHA5126f4715008d918f0a940bae3970e072c39b16a6c8fb66f10bc32c4b611c93a437b3475646d0fafa3e814af6d5013a518ba5893c2c984b558f66733b4d03f83461
-
Filesize
2.4MB
MD56e10b6107066da8b83187a14c8b68b23
SHA1bfe5bb0d1fbd503226abf58fbd88e91e8f17ba05
SHA256804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
SHA5126f4715008d918f0a940bae3970e072c39b16a6c8fb66f10bc32c4b611c93a437b3475646d0fafa3e814af6d5013a518ba5893c2c984b558f66733b4d03f83461
-
Filesize
2.4MB
MD55f4ea66e5a0558784add458259f7e9c3
SHA111ca8a52f3a8b8ed410a82c4570e1a683a233d77
SHA2567f3fde1c0be5b905db2839f85bcc5b406c2a242fa2831f1cb83f4681037bbb26
SHA51277afd658be816646a63318de23c930f16b7cc16ad5498d4860a015f7d02587767799841c5ef5d21e17455c7047b936be5e964f1caf24484c23e8ea9cfd7b38ee
-
Filesize
2.4MB
MD55f4ea66e5a0558784add458259f7e9c3
SHA111ca8a52f3a8b8ed410a82c4570e1a683a233d77
SHA2567f3fde1c0be5b905db2839f85bcc5b406c2a242fa2831f1cb83f4681037bbb26
SHA51277afd658be816646a63318de23c930f16b7cc16ad5498d4860a015f7d02587767799841c5ef5d21e17455c7047b936be5e964f1caf24484c23e8ea9cfd7b38ee
-
Filesize
2.4MB
MD53a16cbcfa6966c0a644f09430e39efe1
SHA118190824815ae411156806f7aa52b6dbceaa24f1
SHA256298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4
SHA51261ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985