Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2022, 11:40
Static task
static1
General
-
Target
36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe
-
Size
310KB
-
MD5
c6d5caf032d4435e71637bd333f174fb
-
SHA1
1971852a4bedd32ac3a74d7a9600dcb369e71cce
-
SHA256
36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007
-
SHA512
7a7176c80ade6000dbb7a4b94cb11f229b360ea8adab69d829cf24541d5f364e9f6143a697f1c839336da98261f9a038aacc4c463b90d67bb2fba56158d8144e
-
SSDEEP
6144:+gxRLtYltAaD+/eWOGkLc3zJJaRH4rWlRjO1n:+qRpYlt5DXbBotJayrW9u
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4332-133-0x0000000000520000-0x0000000000529000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 31 224 rundll32.exe 40 224 rundll32.exe 59 224 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3436 C614.exe -
Loads dropped DLL 1 IoCs
pid Process 224 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 224 set thread context of 4060 224 rundll32.exe 92 -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook2x.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\createpdf.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ExtendScript.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\forms_distributed.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\info.gif rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3328 3436 WerFault.exe 87 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe -
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093552e65100054656d7000003a0009000400efbe6b557d6c935533652e00000000000000000000000000000000000000000000000000f7d43600540065006d007000000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2584 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4332 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe 4332 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2584 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4332 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4060 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2584 Process not Found 2584 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2584 wrote to memory of 3436 2584 Process not Found 87 PID 2584 wrote to memory of 3436 2584 Process not Found 87 PID 2584 wrote to memory of 3436 2584 Process not Found 87 PID 3436 wrote to memory of 224 3436 C614.exe 88 PID 3436 wrote to memory of 224 3436 C614.exe 88 PID 3436 wrote to memory of 224 3436 C614.exe 88 PID 224 wrote to memory of 4060 224 rundll32.exe 92 PID 224 wrote to memory of 4060 224 rundll32.exe 92 PID 224 wrote to memory of 4060 224 rundll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe"C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4332
-
C:\Users\Admin\AppData\Local\Temp\C614.exeC:\Users\Admin\AppData\Local\Temp\C614.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239493⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3432
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 5362⤵
- Program crash
PID:3328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3436 -ip 34361⤵PID:208
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3424
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵PID:5080
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\back-arrow-down.dll",HwkWVTFWUlpS2⤵PID:4824
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
726KB
MD5d28fbb67ac9d3d1d4ab4a4842c70f678
SHA1c9b7d11f272555535f5bcfe56dde17742c4c6ef4
SHA2560e4f467d0751dce5efd4323ef07e5e3019e0a77e6dab03676339fafa52b558df
SHA51259923921612c96168681a495a2afc9b04bd91e1a358f26c0a172aa1f094c096eda41be814486170705a2e4ee364e8480b5896bcfb93dd51dc8a5253d4576cd69
-
Filesize
726KB
MD5d28fbb67ac9d3d1d4ab4a4842c70f678
SHA1c9b7d11f272555535f5bcfe56dde17742c4c6ef4
SHA2560e4f467d0751dce5efd4323ef07e5e3019e0a77e6dab03676339fafa52b558df
SHA51259923921612c96168681a495a2afc9b04bd91e1a358f26c0a172aa1f094c096eda41be814486170705a2e4ee364e8480b5896bcfb93dd51dc8a5253d4576cd69
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe.xml
Filesize27KB
MD5539930de67b99bab23fe2c67000eeddb
SHA16b0e5ece46ecb0b019ec71caa44facf122647059
SHA2562f578443ca2045e8432f4a39bcd367ae343405e8daf368dff91e9198fa1a658c
SHA512ddddcd7011ad0fb53fc816056a6df2045a7956158c009d8a708eafd0b2eaeccc55a847c96894ee04542315cec373165efc0e331da6316ceb9e5768f8861946ce
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xml
Filesize15KB
MD52f71d0396b93381c1fd86bf822612868
SHA1d0801700dd00a51276f32c6ed19f5b713b5db825
SHA2560543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026
SHA51267022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722
-
Filesize
103KB
MD57a1763f6f5577656a43c4c9bd844ff4c
SHA1df0864de9dcaa196589a66e2280570986a8bbee3
SHA256d786b67ba29815370580be2c6eccd29adc09a1095a38d7ceff3279f6ab68a325
SHA512c276a742684e6cf3b1378204fd3cbce73ea9a9ba16550aef8571810785f4be3d0abb28d31a78c0a9e25756b8a91b4f905547a1762544b7bb17dd76a93ca430a9
-
Filesize
444B
MD537c62fff1cdd42c987b1dea7875aea8a
SHA16c4dbb8c556315c7808f135ba9279ce9e5ccf7e1
SHA2566cc104bdf2fa9eebe51c8a7ac70a265aee8601285afbac97c0a9e896a3a5854f
SHA512a76404f14658b75b4495cf3d627e8a9aa6c07fe869eec4a6147a26589f4fe51024d340b97033a2a46e5f1e9643c0a9bc32cac8f88745aca9b79349532d03f0d5
-
Filesize
2.3MB
MD581ec934abf4fc9bd7b3ebb4486d56e7a
SHA1a4e6a1e6575ff17175b20aee68c4042831dc7650
SHA256d83702cfc2e4e74bce1ca31f12d644861bbe6759bab88c495e420dcc663e2d2e
SHA5121dead0ce0db06c508f7cb83c7bd4ee8ea515e2f7bf762e8e218afd2e9f7da5795031e923ab16f67a9cff30c6250cd71578b0814a3a05297ecf334c0047b1660e
-
Filesize
10B
MD5bea59a2f25178d677087edde21c60be7
SHA156844a00adee7f8d2c161808de19ce6fd191fb61
SHA2564906553c99e9225413bacd029603f2549fe8d972bf389770063f3e932b623d80
SHA512008622e6bf66c3cc4bdfc9cda7dc10376e310b560321ee0d7040f7c6da7673cd04799ee04b9e22bb45de378fa0791dc0b6bbf43efed1366d0520c26d803d7400
-
Filesize
28KB
MD51f93b502e78190a2f496c2d9558e069d
SHA16ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA2565c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3
-
Filesize
1.1MB
MD58a4cb873c04ffe6859dd5bb381fed9b2
SHA1c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
Filesize
1.1MB
MD58a4cb873c04ffe6859dd5bb381fed9b2
SHA1c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD5d28fbb67ac9d3d1d4ab4a4842c70f678
SHA1c9b7d11f272555535f5bcfe56dde17742c4c6ef4
SHA2560e4f467d0751dce5efd4323ef07e5e3019e0a77e6dab03676339fafa52b558df
SHA51259923921612c96168681a495a2afc9b04bd91e1a358f26c0a172aa1f094c096eda41be814486170705a2e4ee364e8480b5896bcfb93dd51dc8a5253d4576cd69