Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
29-09-2023 06:19
Static task
static1
Behavioral task
behavioral1
Sample
akibet20230927170129.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
akibet20230927170129.exe
Resource
win10v2004-20230915-en
General
-
Target
akibet20230927170129.exe
-
Size
396KB
-
MD5
1d9c34dad928bf8f79e07b02a626b608
-
SHA1
3af26a4f24a669b938bc128facc704f8751af8a5
-
SHA256
4bccd7f3cfb497ee38b259be7fce0df77b6da86d3651216e0308ca24dacebafa
-
SHA512
35498836099599e90636a6c04556845dc6b64f2680b854422fa38f17f573f8d8e3ad83e24ff51dee632d0c5b17edd0ef983a1ec66d2c7417ffd69da0dc7b0d9c
-
SSDEEP
12288:/qVOUuA1e24EcORX7c9r+hiUTFJ+kBNyuoCz8Unayi:7FAMEP7nhFJ+sFFq3
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2552-22-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2552-25-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2552-27-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1960-32-0x0000000002410000-0x0000000002450000-memory.dmp family_snakekeylogger behavioral1/memory/1960-33-0x0000000002410000-0x0000000002450000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
akibet20230927170129.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions akibet20230927170129.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
akibet20230927170129.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools akibet20230927170129.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
akibet20230927170129.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion akibet20230927170129.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion akibet20230927170129.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2532 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2628 cmd.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
akibet20230927170129.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" akibet20230927170129.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exeakibet20230927170129.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum akibet20230927170129.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 akibet20230927170129.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2532 set thread context of 2552 2532 svchost.exe mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3008 timeout.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e055d0f29cf2d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000dd53c145cb274822ffce57f24fd3885a957f3e141a7c3b371ecbb6310d1fc3f7000000000e80000000020000200000004183b0e5cb55cadc7bab1b1cf97a8c1dbc525c26b4ca4f768e0d51eb168e48202000000012e899a7e793b4d63fa6d7fa43ad6545d719a485912d335bbd1b9422388e82d64000000082d299e86eb335fdd71beddfeccf6188ce0d5928111cc2ef9c5dedd07a799dd4cedb303e353a9e50506cae0d0c02ae64b8e389ebab4316e95a6a52d0f2716a59 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402130223" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000cb24da2ad18b6890a3d8624974156903f4dfbed8a76ae2d59943e21ee25e6442000000000e8000000002000020000000fc094c54e99b16f20310a63b68dc134653c2aecfe8558220eb22ad49cb2a2ebc900000008639c2029a2bf67bc0c07d36fc5a785e3b0fb28e506eb154020e9dd5f43c04bb234beaf5d6c755f352f6db90f9263ffd2c27aea5e750e05c622c682f81636585396be82fe91d9222cfb0aeb61893f5f7e85ea8f31c662b7e388f0e35e2a610e732e6adbf28a077c1fb967b6aa2153039a5d510829dba94a9fb1fb8d90f9c28f49417b6f9f94e0b625c3b023a74e3060f400000003255e433a9e0b88e997bbfb6672d8bc8a2efc074832498f51d906f40f4fa2d6699ecb7c11ac47c9cdf9487cb1fe4960e8372db4270aba82957308d0daf1c3891 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DBBBB01-5E90-11EE-8654-7AF708EF84A9} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
akibet20230927170129.exepowershell.exepid process 2228 akibet20230927170129.exe 2228 akibet20230927170129.exe 2228 akibet20230927170129.exe 1960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
akibet20230927170129.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 2228 akibet20230927170129.exe Token: SeDebugPrivilege 2532 svchost.exe Token: SeDebugPrivilege 1960 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 284 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 284 iexplore.exe 284 iexplore.exe 756 IEXPLORE.EXE 756 IEXPLORE.EXE 756 IEXPLORE.EXE 756 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
akibet20230927170129.execmd.execmd.exesvchost.exemscorsvw.exeiexplore.exedescription pid process target process PID 2228 wrote to memory of 696 2228 akibet20230927170129.exe cmd.exe PID 2228 wrote to memory of 696 2228 akibet20230927170129.exe cmd.exe PID 2228 wrote to memory of 696 2228 akibet20230927170129.exe cmd.exe PID 2228 wrote to memory of 696 2228 akibet20230927170129.exe cmd.exe PID 2228 wrote to memory of 2628 2228 akibet20230927170129.exe cmd.exe PID 2228 wrote to memory of 2628 2228 akibet20230927170129.exe cmd.exe PID 2228 wrote to memory of 2628 2228 akibet20230927170129.exe cmd.exe PID 2228 wrote to memory of 2628 2228 akibet20230927170129.exe cmd.exe PID 696 wrote to memory of 2536 696 cmd.exe schtasks.exe PID 696 wrote to memory of 2536 696 cmd.exe schtasks.exe PID 696 wrote to memory of 2536 696 cmd.exe schtasks.exe PID 696 wrote to memory of 2536 696 cmd.exe schtasks.exe PID 2628 wrote to memory of 3008 2628 cmd.exe timeout.exe PID 2628 wrote to memory of 3008 2628 cmd.exe timeout.exe PID 2628 wrote to memory of 3008 2628 cmd.exe timeout.exe PID 2628 wrote to memory of 3008 2628 cmd.exe timeout.exe PID 2628 wrote to memory of 2532 2628 cmd.exe svchost.exe PID 2628 wrote to memory of 2532 2628 cmd.exe svchost.exe PID 2628 wrote to memory of 2532 2628 cmd.exe svchost.exe PID 2628 wrote to memory of 2532 2628 cmd.exe svchost.exe PID 2532 wrote to memory of 1960 2532 svchost.exe powershell.exe PID 2532 wrote to memory of 1960 2532 svchost.exe powershell.exe PID 2532 wrote to memory of 1960 2532 svchost.exe powershell.exe PID 2532 wrote to memory of 1960 2532 svchost.exe powershell.exe PID 2532 wrote to memory of 2552 2532 svchost.exe mscorsvw.exe PID 2532 wrote to memory of 2552 2532 svchost.exe mscorsvw.exe PID 2532 wrote to memory of 2552 2532 svchost.exe mscorsvw.exe PID 2532 wrote to memory of 2552 2532 svchost.exe mscorsvw.exe PID 2532 wrote to memory of 2552 2532 svchost.exe mscorsvw.exe PID 2532 wrote to memory of 2552 2532 svchost.exe mscorsvw.exe PID 2532 wrote to memory of 2552 2532 svchost.exe mscorsvw.exe PID 2532 wrote to memory of 2552 2532 svchost.exe mscorsvw.exe PID 2532 wrote to memory of 2552 2532 svchost.exe mscorsvw.exe PID 2552 wrote to memory of 284 2552 mscorsvw.exe iexplore.exe PID 2552 wrote to memory of 284 2552 mscorsvw.exe iexplore.exe PID 2552 wrote to memory of 284 2552 mscorsvw.exe iexplore.exe PID 2552 wrote to memory of 284 2552 mscorsvw.exe iexplore.exe PID 284 wrote to memory of 756 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 756 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 756 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 756 284 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\akibet20230927170129.exe"C:\Users\Admin\AppData\Local\Temp\akibet20230927170129.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3008 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mscorsvw.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.05⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:756
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD595eddfc41ff3724d667c2cadaee1b48b
SHA1b3651a4edfc1d2b140ea0fa62150b4819f1c78f1
SHA256b060e6b6de7219114d27993b45e21e1e135a1d4ce0308d5dce39042430b3c76a
SHA51225a5afeaba1ba9c3e353660e5105eacc5728618f2cb089b9791bdc891c4e22f353c99868ea0fd6fdfd62ed33b0565037fb657805b14ed3dc8c05dbce38943ed9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD522ae1219507ee23be8f5e832796273e4
SHA156d87d8c217d62a5aa581ae057234cbc608aac9f
SHA2560024092929baa7f491bd1d7f04104594e19cca1a95fc1d0602774e712f95e085
SHA512a2e1fa136af0daf6146f793e29e792d60026bdf78f3e945853f3966516b475eea73f879ce681a8951fa750e2e396fac4dbe519b423e5204b4bfe50901847fb06
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56b572fc3236b265032acb5375137a890
SHA1e74a588060895e8d67d568af6d7cb1f2b5e41a27
SHA25682441406696c4e02a76cd6e5cde45c533d9f28fe0502b61a9034bdfb9bec8bdf
SHA5122ef5d198d55fcbf85efe2dc1cf87aee4f04940c69b05fe827d31125943b9d8d757d285cdf64b9b048a84b1a5076d51525262669cf1536ba9912e4b0bb43b566f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cdba423d7aae7eeaa7d75d0260e9f99d
SHA1f2f849ce720b8f47f5ddd2be35aade924e7281ab
SHA25633258e322bd6db09ce5294ec0e0bea02db75afc60ddda66bcea40e0aab5a9cc5
SHA512552f5ba7164a46a8f5257ad1bccf5378e858c46035d9268a8a9952f7384728b3f07ee1dbde49d6601eca84b5148a443565ae12f6bc48ab3983bf958a3266ea87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5544da90a78f52dd46ba00ecfbdabbdb2
SHA19381c38693496b877475d3825e50f0755e72dd6e
SHA2566aa524eed123a8df8587923e42f6416a1f8758de9194f5d5390b5293a646d281
SHA5125dd8d2b8931d4b4f49fe13fe051307d5de9f9d2418373c0c94d1976a4b4fde9153b171cf902844fa219814da7ce49b94344f4e33a8d16d8e431b34a100eb82b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55d3643ebd3a07216dbc26e20d4e7806f
SHA15e8a73cecb1bbdc277f647562196691664a61d01
SHA256012e7b5829870448e78232abb0f7a3d379b2b9f419d40fb21836646a960c4887
SHA51283c7b56a99947c9e60f6d8fe1646f429a11b7e55fab3c0d4b332043b3aa96c854f7375ec77e8cf11762013f6e97ad7ad40a80ecd1e5c91c38787281b03d4f9f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50f625eb67918c998837ffde0359e3b89
SHA1e789264fb3bb1b1cbbfae38c0c23cb951d93cd6e
SHA2561454e21dab74934bbea6ba02260368f035dfa1cc5fde816a03c80dcb4db58f25
SHA51216b0d4eac32f72710ee380ddea3ed7adebad6be032e84e89b39b8aabc9a7476fed9989c3030469d1fef5c2ff55a3f532c9734c3fa159aabcf1a5f1731007592c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e618c92cd58aa41cab7c3e64c08ccc06
SHA1ae608d604cb8eaf40742dd0df2bcab6a684c3c14
SHA2569cd141c2cf26ca240154c5b7b1f9f3b2d2514ebb4e18b54baaad18c5f41f8520
SHA512352dafa781473e55e59e70a828a0a6cc827850becdb1de4afee68926a3f78f7ade4025e7c8f92bcae846f8580a0e693027600cac20a55744e2a3e70d7519a7df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5181d14c87eae78ab444a5a0cccad7694
SHA12f112922a99b685ed50efb79921094c03101711e
SHA256492a4021a5632c83a875d702fabb47ba54c0a1d7966e46b0224d776ffbabcdbf
SHA512d056e7f7503577a0734bfd0d04dcda93024026f4aafd9580cc3052d2b8f3e1f0105a02ccf7da330e946712135611d72adcee1f6e63411d77bfc2c9f22bde0f19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5323840587db6b04bf0c9ed64c543e96e
SHA16d7c883ed1d6ea8d5cfe2dd0205bc4bf34fbcb8e
SHA2568a0293c51c06dc2d80ade10ec98959cb84634eb51d94ba8cdec69b443b505968
SHA512bfa1e10aa9eeb61ceb523b304f289e48a0f83d4ba23963d78ab1123741575e5fea22588f42913ffbd7523a1d345cb557a5692e17056782c60b5de0ec27ac85c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5adf17695b77b54765bcbd29134c45188
SHA1e6e35ce4be711a0109e0066608fa4e49b4881b30
SHA2564c9232ac3071791f5cd6ed25c0c7107a821044fd6a788bcc4433a0f6ec777692
SHA512798644011e38928cfeaf2269c332441348a65709677b4f2e526d63e19463e9f4050299cc87609787b23db94839a85bd98d9dd0a98970a0ffdab0ad0307bb8a00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD551231d0c3c6dda33dd536914349fcafb
SHA14be0e0ed99dcd5b49359e252d84ae2a02b7a853d
SHA256b059cc6a517c1d8f52497cdf39333e471f308eb34e91744ed15a8cfe303993b8
SHA51291f51ce22817b6e9e07b4fae75d2e24d7f2c6b42eaaf12f26173899755ae20e3e6cfa87b95d1820479f7727c3a2f5b232a69d0e594385a2c4438598801d2e7f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5338a0f9be776b45066662cb5755da5bd
SHA16ee359838cda87f6e545a53a227d39c85d81858d
SHA25639437cc783955b0487fcd5c304ec9cfc3c565e4607f9e7d30a311bd594a1f45a
SHA512a252e289fe4cde75ceddeb7ba83b542275195e23b568c1dd332fc0793b757dd4d47347bf69b804e716ddb95725137a9b17653aeba9786f09a854b9b697656dcd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57998d3bb5d931e3cbd8c2c6b99a4f285
SHA140f768a8a0a30c67835e652e6299ac1262b16beb
SHA256bbe5e3519a690720754346f80816285d684f0e4f1ee74798190c6be2ad1141d8
SHA512184e0a4ee282dbf4a207a777d059e3de8c3477efd19c404c8920af68a2b90da1faa8d1630ee6828aa096b26e2114095b950c1799569e18745167774197a9275b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5615148fd1e8ebe8b628ea9ed82367a9c
SHA16b89c8ebb25fe5c82207d21f82da7df203ee8986
SHA2569e3a78857d64e50f77d4e4e4797c0685bebe5cd2bec8385070b2f9932d0d02a5
SHA5121ecc32d66c84c32dfd651104d7a30180aa1886e8d89343f93a518ce014872f89c334e7587c13161781594c58a1f44ec7ca9b4e81bb96714505006d5aa78c3d47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55cf0d33240cc306367fa896a033ea2d2
SHA15203e4e2f84c2e96e514aad63ee1a8fd5f384c84
SHA256dab9ecb8b85dff7a97243560a0bd792ac238f07fb3ab769e0963059a0b0b07ba
SHA512ce42074c8dd04b4151f25b20484625797063ce1b20a5ece5cb47d1e47fd50c7c562bfd0a988811f29030a945c4b60aac03b293b7d79f7379463b56f61173575e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57af9597d74f756119f0248665ae33efa
SHA191573ec415d9207e983beed4f28adf5dbb7ddb95
SHA256a1c1ee2d5755d3e9d555b74eacea7aff43ac615644b54a683d2c5f5931d87b89
SHA512c4bf48e17feb383fa1b597bc8cf0395cc1abe213d353c5e51ff891c49017f075d8eda12c4009d56eb6d52d188baa8c29ec7e9c9845a7c53667152ec28fd3fb8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a391c497cf4679b97271009acf1a5773
SHA104b6f21fb362ca0ac33136aabf9fb6540303de02
SHA2565605bcd3baa8c97ea4adf4a946bd4e6297c41445955c9d25aa4a742e1eb16ca4
SHA5120f277260d0f76573069623cdfccb983c10b80680991e2f63411f6cb10ed721fc94f73fa2d05899afb63ca8befca130eaa24a92ec10b7c20ae7b245839ec1de1f
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
151B
MD577ff2382b1ae26b529262f67633a194e
SHA17bc3bd9c17726a0dca71c8bebf26e438fb37b740
SHA25654c4f1ea1ab409bf7503cad355465637793ebd681ab2202f2dbc42a2db929e44
SHA5127f229bda7b2ed536f0771a2a8529e9db8f8a63055198547eab748a058aac4c27b8e78ca6eb53cc84b48c907726bb19144e28a09339bcd781cab3b8a1949d126a
-
Filesize
151B
MD577ff2382b1ae26b529262f67633a194e
SHA17bc3bd9c17726a0dca71c8bebf26e438fb37b740
SHA25654c4f1ea1ab409bf7503cad355465637793ebd681ab2202f2dbc42a2db929e44
SHA5127f229bda7b2ed536f0771a2a8529e9db8f8a63055198547eab748a058aac4c27b8e78ca6eb53cc84b48c907726bb19144e28a09339bcd781cab3b8a1949d126a
-
Filesize
396KB
MD51d9c34dad928bf8f79e07b02a626b608
SHA13af26a4f24a669b938bc128facc704f8751af8a5
SHA2564bccd7f3cfb497ee38b259be7fce0df77b6da86d3651216e0308ca24dacebafa
SHA51235498836099599e90636a6c04556845dc6b64f2680b854422fa38f17f573f8d8e3ad83e24ff51dee632d0c5b17edd0ef983a1ec66d2c7417ffd69da0dc7b0d9c
-
Filesize
396KB
MD51d9c34dad928bf8f79e07b02a626b608
SHA13af26a4f24a669b938bc128facc704f8751af8a5
SHA2564bccd7f3cfb497ee38b259be7fce0df77b6da86d3651216e0308ca24dacebafa
SHA51235498836099599e90636a6c04556845dc6b64f2680b854422fa38f17f573f8d8e3ad83e24ff51dee632d0c5b17edd0ef983a1ec66d2c7417ffd69da0dc7b0d9c
-
Filesize
396KB
MD51d9c34dad928bf8f79e07b02a626b608
SHA13af26a4f24a669b938bc128facc704f8751af8a5
SHA2564bccd7f3cfb497ee38b259be7fce0df77b6da86d3651216e0308ca24dacebafa
SHA51235498836099599e90636a6c04556845dc6b64f2680b854422fa38f17f573f8d8e3ad83e24ff51dee632d0c5b17edd0ef983a1ec66d2c7417ffd69da0dc7b0d9c