Analysis
-
max time kernel
92s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 05:51
Static task
static1
Behavioral task
behavioral1
Sample
ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe
-
Size
996KB
-
MD5
ad10830a3342900f70cac19a8d1b6abe
-
SHA1
205261ebec6b48d1eda0ff543198fa23a62490a1
-
SHA256
1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270
-
SHA512
297c715bf5197a44188a7041ec879e7e4ee91a0fba895fa1057d1af102221bda0b06a4a95b26370d549c90bc1ddbeb16d45eaeb7aa514de2bf0771d5a8ac2d3a
-
SSDEEP
12288:HrGuxcx90nsc2x4d6Z7Zw4ySVz0Mw4kdKH7JW/heXGb18EYMtxGDunB8aebR:HrG2CR4N4PwMw4r7VQ6zMtImyL
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
kuatuvxpqfxoxbth
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe -
Drops startup file 1 IoCs
Processes:
PgYcv.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TFjXAla.url PgYcv.exe -
Executes dropped EXE 1 IoCs
Processes:
PgYcv.exepid process 1164 PgYcv.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4896-71-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/4896-74-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/4896-75-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/4896-79-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/4896-83-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/3928-86-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3928-88-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3928-87-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/3928-90-0x0000000000400000-0x0000000000491000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 icanhazip.com 30 ipinfo.io -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PgYcv.exedescription pid process target process PID 1164 set thread context of 4896 1164 PgYcv.exe cvtres.exe PID 1164 set thread context of 3928 1164 PgYcv.exe cvtres.exe PID 1164 set thread context of 436 1164 PgYcv.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA\Blob = 0300000001000000140000008ad5c9987e6f190bd6f5416e2de44ccd641d8cda140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8040000000100000010000000ff5fbc4290fa389e798467ebd7ae940b0f0000000100000014000000c45627b5584bf62327df60d6185744a2d2f2bcbf190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28195c00000001000000040000000008000018000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c4b0000000100000044000000350034003500370041003800430045003400420032004100370034003900390046003800320039003900410030003100330042003600450031004300370043005f000000200000000100000088040000308204843082036ca0030201020210421af2940984191f520a4bc62426a74b300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d8300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101004d422fa6c18aeb07809058468cf81939662a3c5a2c6dcfd4d987558d790b12887b408fd5c7f84b8d551663adb757dc3b2bbdd3c14f1e03874b449be3e2404526f326492b6a84f1547ad442dafcd36abb667eca9eeae9bbdc07c7c3924e833c81499f92d53209ea492ea111719a36d2c54e68b6cb0e1b2516af6cde5d76d81f72b193268617db18deaf45e9dffb98af1418eda45ef6899445f055044addff27dd064a40f6b4bcf1e40f9902bbfd5d0e2e28c1be3b5f1a3f971084bc163ed8a39c631d66cb5c5fda3ef30f0a093522dbdbc03f00f9e60d5d67d1fda01e032bd940f7becc87665480a6a3b8f51962d5d226b19826ee9acb44a7455a8195151af551 ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exePgYcv.exepid process 4012 ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe 1164 PgYcv.exe 1164 PgYcv.exe 1164 PgYcv.exe 1164 PgYcv.exe 1164 PgYcv.exe 1164 PgYcv.exe 1164 PgYcv.exe 1164 PgYcv.exe 1164 PgYcv.exe 1164 PgYcv.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exePgYcv.execvtres.execvtres.execvtres.exedescription pid process Token: SeDebugPrivilege 4012 ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe Token: SeDebugPrivilege 1164 PgYcv.exe Token: SeDebugPrivilege 4896 cvtres.exe Token: SeDebugPrivilege 3928 cvtres.exe Token: SeDebugPrivilege 436 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PgYcv.exepid process 1164 PgYcv.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exePgYcv.exedescription pid process target process PID 4012 wrote to memory of 1164 4012 ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe PgYcv.exe PID 4012 wrote to memory of 1164 4012 ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe PgYcv.exe PID 4012 wrote to memory of 1164 4012 ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe PgYcv.exe PID 1164 wrote to memory of 4896 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 4896 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 4896 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 4896 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 4896 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 4896 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 4896 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 3928 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 3928 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 3928 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 3928 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 3928 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 3928 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 3928 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 436 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 436 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 436 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 436 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 436 1164 PgYcv.exe cvtres.exe PID 1164 wrote to memory of 436 1164 PgYcv.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\ProgramData\TFjXAla\PgYcv.exe"C:\ProgramData\TFjXAla\PgYcv.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp60BE.tmp"3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:3928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp612D.tmp"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996KB
MD5ad10830a3342900f70cac19a8d1b6abe
SHA1205261ebec6b48d1eda0ff543198fa23a62490a1
SHA2561648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270
SHA512297c715bf5197a44188a7041ec879e7e4ee91a0fba895fa1057d1af102221bda0b06a4a95b26370d549c90bc1ddbeb16d45eaeb7aa514de2bf0771d5a8ac2d3a
-
Filesize
8B
MD5e83b7ff967e2529f3e452cdd72fc10f2
SHA1d5667e6c3cf485214ecbaf200ffa74a1424510ae
SHA2568eacf57cf79c2722e9332977919fc4c5b6f36eae964e4282ee760d9651db3d9e
SHA512ceb49abb4c1647ceed6a59622b973cd0a5127c61ef3afb3f7ec7bfcf7165d6f7f4a322924401965d3b50d65ee1764eb68aa28697d2746ea3eb10e0a0996eada6
-
Filesize
16B
MD5578716a8b6b660ba05159a4957ac238d
SHA11745319c341f18093ca1aaf93f15d80fc8a65524
SHA2562f38824c68ecbe5a889bd00b4165f467cd94ea6f4da5356db76fa3724b5d16fe
SHA512bac6582e7db0e6a0c31a1374a7abf36a65a62d360c082ed634d6be73632c966c10a06d46829e1ad79fe040934beea65b68d51c06a09d9569dd99f83b77e0fc70
-
Filesize
81KB
MD5cd800dd610d5f7266075e862ae13b920
SHA1616db329b91e7a7fe4c78f10a6f1bd6c1e07dd8a
SHA2568ec5be304f8d66f4842f193ca4e3738dffe28d3efe55eea69db834a6588fb019
SHA512962b90722a9ef2b48e84c40e62bee89978dec927a9ea70fa4e5d8597e33b4508d7f906740cddc8eeea4372c4ba365a2a26bcb038005468d885772205d140419c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize1KB
MD546804d944f11e97d7623dd5cd0c3c3fe
SHA1be0708b276871a160404529f8b69d487f04f026f
SHA2569c5e42911b86a54279cc962def8e3284d1095d321d43a75e6e2dbab9669a10b0
SHA5121b9e8eb59ab434cd97db2b99b7d92f42d2b7e29dcc10d2c23c9f87445d26d94817cc4cabca7f6be1882fb383c4085494827a937e0ea1d95733cf5d3ba3a14c02
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_0F96BACF3D5FC89AB4994155F45ADF7B
Filesize509B
MD5ebf8b5bf1e25ca35ef1dc8cc25307f7e
SHA1d5ca1658dcc9996c2e74e62c1ce88738381fbee1
SHA256c6c513d636bea7006389e76d380c0f0fa3874fa4bc5436578357a076de309246
SHA51258d002388e21138f953af86c6fff41e5ffd8e926b6884f49b372cf6123cd6f5970d1719e50cca488576bde41bf9fb41f2a5ed90223ae5abf777f9a153ca01c37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404
Filesize300B
MD50b9187e593e686044a610abfe96c25b7
SHA18534bdb1e02a61e8c30134c9e123da2ab9c8bdc7
SHA25654cfd7010055af3f9d7f159cc4e6743aae214cb1730fc11745f9a5ff52670d23
SHA512e341a74c256cbf474a72f1e07f07899acb16da1920783f25d33893192eaa16a57221b6706466b2a7dcf0ef16feb5a3ec4d8229ea3e319ccfb53896b53fa13478
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
Filesize398B
MD586588fffc7a0af9f576fbffc655192ab
SHA14169e1435e462de160936a4d20b7356fa69b2bf6
SHA25675c2c070a14efda171db2c819954e25b02e0037c689fabff65073ca24cebaa22
SHA5123f97687237e1f8bc762c9098bedc9124eda56edd83d530970bde420ee06a2bd71352b423f64ef042fc9b38112191e2ea9134697c031ca1e79f64603a78789b2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize500B
MD5b97e64a86c999ec479a9a2b11eda10ea
SHA1948005adf5d78c37af413d31bb125132b06ef189
SHA2562badb7ed2925ce5a1eee5b258ceb3950a9631b43643738867d938d2033f55863
SHA51206a39096adbb1700fcc4279b0e8236e7ccc013985ce21d3681ffeae0a46b9cf9437fa1a4540e49dbe9ce804594e3ac121b70957248dd893ca690481f40f4dbed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_0F96BACF3D5FC89AB4994155F45ADF7B
Filesize490B
MD5a0f7376e1f79ecdae22e6056d3d35d21
SHA15bc80480b5014bd2739eba15f4df3fac62749af4
SHA2566e029f4314dfd8b27d48008f0579f978b9c7c50600921b26b57901526a28d652
SHA512780fcced1a99d476f9ba7e91d81faae0f2374cf478dc8df3054ef3a570e46956b154aafbb3b279f9af971ebbe31451dd0d09546b5876e4714c7546f2a8a874c4
-
Filesize
1KB
MD5b0cc2e6f2d8036c9b5fef218736fa9c9
SHA164fd3017625979c95ba09d7cbea201010a82f73f
SHA256997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b
-
Filesize
400B
MD5de4e5ff058882957cf8a3b5f839a031f
SHA10b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72
-
Filesize
391B
MD53525ea58bba48993ea0d01b65ea71381
SHA11b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA5125aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986