Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04/05/2024, 04:01
Static task
static1
Behavioral task
behavioral1
Sample
116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe
-
Size
242KB
-
MD5
116ec1b12439d8bbd2a4220e8a0c034a
-
SHA1
b9acb1845b16752bfca051cd4f9ddb2487c7493d
-
SHA256
1cc6193073a75d7ab69bc94ba2265ebaf3ee0e4780684acd242bb4eea298be6f
-
SHA512
e33587be241640a30f0cb060a0d55bc140a63ce9d5eefb9c21dfc1f894ee73b4f727ba7d6d8bc2aac095ea6b8357c2118cd4a5bff1ba6d88c4fe94a53d95b6b0
-
SSDEEP
6144:39ka8sKwB/q/4JZmFUq59nT4drJrLOgRHLslh2PA73:3KsRFq/uZmCq59TkVrLRrsr2PA73
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2604 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2624 3870112724rsegmnoittet-es.exe 2596 3870112724rsegmnoittet-es.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\WINE 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\WINE 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\3870112724rsegmnoittet-es.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\3870112724rsegmnoittet-es.exe\"" svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1804 set thread context of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 2624 set thread context of 2596 2624 3870112724rsegmnoittet-es.exe 30 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe 2468 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe Token: SeSecurityPrivilege 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe Token: SeSecurityPrivilege 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe Token: SeSecurityPrivilege 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe Token: SeSecurityPrivilege 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe Token: SeSecurityPrivilege 2596 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 2596 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 2596 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 2596 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 2596 3870112724rsegmnoittet-es.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 380 svchost.exe Token: SeSecurityPrivilege 380 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe Token: SeSecurityPrivilege 2468 svchost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 1804 wrote to memory of 2256 1804 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 28 PID 2256 wrote to memory of 2624 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 29 PID 2256 wrote to memory of 2624 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 29 PID 2256 wrote to memory of 2624 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 29 PID 2256 wrote to memory of 2624 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 29 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2624 wrote to memory of 2596 2624 3870112724rsegmnoittet-es.exe 30 PID 2596 wrote to memory of 2468 2596 3870112724rsegmnoittet-es.exe 32 PID 2596 wrote to memory of 2468 2596 3870112724rsegmnoittet-es.exe 32 PID 2596 wrote to memory of 2468 2596 3870112724rsegmnoittet-es.exe 32 PID 2596 wrote to memory of 2468 2596 3870112724rsegmnoittet-es.exe 32 PID 2596 wrote to memory of 2468 2596 3870112724rsegmnoittet-es.exe 32 PID 2596 wrote to memory of 2468 2596 3870112724rsegmnoittet-es.exe 32 PID 2596 wrote to memory of 2468 2596 3870112724rsegmnoittet-es.exe 32 PID 2596 wrote to memory of 2468 2596 3870112724rsegmnoittet-es.exe 32 PID 2256 wrote to memory of 2604 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 31 PID 2256 wrote to memory of 2604 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 31 PID 2256 wrote to memory of 2604 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 31 PID 2256 wrote to memory of 2604 2256 116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe 31 PID 2596 wrote to memory of 380 2596 3870112724rsegmnoittet-es.exe 34 PID 2596 wrote to memory of 380 2596 3870112724rsegmnoittet-es.exe 34 PID 2596 wrote to memory of 380 2596 3870112724rsegmnoittet-es.exe 34 PID 2596 wrote to memory of 380 2596 3870112724rsegmnoittet-es.exe 34 PID 2596 wrote to memory of 380 2596 3870112724rsegmnoittet-es.exe 34 PID 2596 wrote to memory of 380 2596 3870112724rsegmnoittet-es.exe 34 PID 2596 wrote to memory of 380 2596 3870112724rsegmnoittet-es.exe 34 PID 2596 wrote to memory of 380 2596 3870112724rsegmnoittet-es.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\116ec1b12439d8bbd2a4220e8a0c034a_JaffaCakes118.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\3870112724rsegmnoittet-es.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\3870112724rsegmnoittet-es.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\3870112724rsegmnoittet-es.exe"C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\3870112724rsegmnoittet-es.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs5⤵
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\upd3934cdb3.bat"3⤵
- Deletes itself
PID:2604
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
277B
MD5d0a6c7b5246e6f8359ece3b0998d31da
SHA18ac99d8d60e59c381b843746d56c63c91a020283
SHA256314ba9bc1ed27af7a1044da4bff73cd57485d73709e816f485eaf3a7a548d348
SHA512b11a9c7204a5c3d002c3638c5ff0de995190f6ffac5eebcfa4f6a2eb5198d28ae881c54cc0eb243fe41610d9e4f7699de8f485a8156a7f6b00efc6d43b091e56
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\3870112724rsegmnoittet-es.exe
Filesize242KB
MD5116ec1b12439d8bbd2a4220e8a0c034a
SHA1b9acb1845b16752bfca051cd4f9ddb2487c7493d
SHA2561cc6193073a75d7ab69bc94ba2265ebaf3ee0e4780684acd242bb4eea298be6f
SHA512e33587be241640a30f0cb060a0d55bc140a63ce9d5eefb9c21dfc1f894ee73b4f727ba7d6d8bc2aac095ea6b8357c2118cd4a5bff1ba6d88c4fe94a53d95b6b0
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.tmp
Filesize3KB
MD570a7c732523cae20be715c92be55f210
SHA1ec922dc13633f66a028a9c773f700a1ac1a470b1
SHA256b3f5fb1756b594be47b879afe4335562a87298af7dcda7ba466086aea572796a
SHA51266ff3f9e59ee041e55a865947b66d78238fcb10111b0deeb15436a4740d36bb8680e667fa2583d4917825154c1a73f9c17bdada4369dea21479c2854ca85dcde
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.yze
Filesize2KB
MD5c9b59fd755632596583d3fc9ffde7626
SHA1516f5240daa98cd246182126c76a220e1917b212
SHA256adbed3bfcf725224ace880619f63eabfa92bbe45842fe83c7ae7761aea443356
SHA5125aa7b3f82a2be72ebb06ff05f1adb13196a4cc3c4e6ee3fbbcf26839cebfe89023a15863dd8f6cfdbc5f164356d29f671132d171f75b4cc0bc08d3e0d8748f65
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.yze
Filesize539B
MD517262d6f8d01a6574a5881e22d381295
SHA1534dff8b825588a4b3549ad4a662ae42b7bd30f3
SHA256864f625b5211d12e04fa3dd77c7a1ec7a7c7b14e869d9f5f833bde2abf8d31b1
SHA512396610feaa30f69b1b02ff32cecb70f4453c9dfc8535ca2f2190f151eb2b2b353068a67609ae3d1d98986edf05ba94e3f356c0c86980c1307af4f7b7d5b24eeb
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.yze
Filesize1KB
MD5075896a4740de286f68433bbbaa8d3ad
SHA1685ea12c6f8c0e80e1cd57c843ab1daa540742e9
SHA256171f14289e4dab53aa5ad99739ab63aebba4e3b492f2d4d9470dfa62a7fa848f
SHA512cf796483dadb675751df4bf794d52923c5e95670f946d69f54366dffb68b72394cafac0fdbff7651959dfe920efd2ca6b5163bfa7435f3c9490ea06b471a0324
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.yze
Filesize733B
MD5e9f31ce917ae14bf77a7a193b2f7cbcb
SHA154c1e27407b650d9b33b11e17a4b04ea5569636b
SHA2567c27aa0676859995748e3e23d579a9b120b2179e0690ad5745d3896137d92150
SHA51225e0129db632c6cbf5884c46ab08512a84dd5abb258a9cfb5b74583119b216b3d7e33302edc613e6e7ae06fb795c4b91f56303e9fb0ac90b333cd02d04ec6c32
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.yze
Filesize1KB
MD578066e988186d128cfad945e02fedfc5
SHA134ff06f0512b9ed462ba08a106c11b464e302bef
SHA256dfc5b484b2846daef6d769c5e2b4a1f45ea2dea4739d2f875cfec37fae78162b
SHA51295e75415c3735dc887cac217c163ee3d51c8566c6e38c5a0f5aa0e3e5cc3b907024669307bb8f8b34bb2636707116d9c5268ceb907855ff9e5970d92e1a060d3
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.yze
Filesize3KB
MD5009297628478b5a7d3a971d2864d7b7f
SHA11c1ffbc06342ef54a7ee932a10cf55cd896c7445
SHA25601cbca8f22e8053d9f3b8ce5d36c6421ae8170f99f78e02a293c09deb061ed9d
SHA5123587eb159fb38944ad53ffa6cec744ae30b5eb8d311321dcc9172e5a03ee00c92ecad02f17d5d4c8dd347178f5862a48edcbd00c89fabc357a88b616a7b63d23
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.yze
Filesize3KB
MD5db86411c758b22bd45434f901225d893
SHA1c0f1c9448812408a055b7c14396ee91d99043910
SHA256495409920db3ff29e6f75a2d5f07188746ce1421c49f3a30e339d8bfec3483f1
SHA512f9f0e476ba50e9b06511d9c5d32f0a217eb361ff69cb09a30185029a33dc3ec1bccb031890dedf5ca854ca48eeeb38c2f2661ca80d843bd57f366ee168631b39
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.yze
Filesize3KB
MD545b0653ec1cefb741b73627d6c3bf7a9
SHA156e9226fe79d2cc7c658a33814e98681edb51fb6
SHA25646b987c72441cb10a858a48ea02ac63fd8dd6a204513b3f7ed939efd8e6aa429
SHA512d0ccdf29c9cce11511648a3b1e1fbe4c90321536495c658292c8a8495e2ca0964930b9dd77ccd4336794735419370a265b2200158d0a1e909db63df7b19a971f
-
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\content-prefs.yze
Filesize4KB
MD5d82d9c3176b4b684a55fd28269cea3b5
SHA1921ca0601d43cb569cf6552b64ebba1c7083e81b
SHA25680e7df938628d7a167f810ad3f434926e23b8b72ded0654742e7ac2429ef9ed3
SHA5129b52d183cf68c0140253307cda653cb01a18586a9513444cbbe00beeb01d1d2eafcde1fb9427c9c9fed415e5337a5554c9a4c9857543d5c75f844016e5a72a57