Analysis
-
max time kernel
94s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 17:24
Static task
static1
Behavioral task
behavioral1
Sample
0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll
-
Size
96KB
-
MD5
0fd6e7c396063517b9d82be20437cfcf
-
SHA1
0a3cd77a98e869068954fd2d870b2b64382c6f47
-
SHA256
d46734e8a732cf0a28b717dd8dae251a71582314923c9cc4cbbe17b0a46e8c48
-
SHA512
31f633533396ee4bc2231731ceb305249825bdca18c8aeef0ccd00a45f978e6aed00cffcaca0add107346a922f888f6d27fedeb7a1dc232c91638dce68f379ad
-
SSDEEP
1536:i6lIdSDpfArqe2FeEuWR3YvsEnLD34+9Mz0rtbX01oqtAEfM:2dSdf9nusEnnz94iBIoqtAEU
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4924 rundll32mgr.exe 1900 WaterMark.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/memory/4924-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4924-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4924-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4924-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4924-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4924-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4924-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1900-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1900-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1900-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1900-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1900-40-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px8CFE.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 464 4996 WerFault.exe 82 4672 3404 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6124645B-81AC-11EF-8D5B-F2CE673D6489} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "899119337" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135161" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135161" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135161" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434741258" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "900212976" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135161" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "908182019" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "899119337" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "900212976" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "908182019" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "900212976" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135161" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135161" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{612202A0-81AC-11EF-8D5B-F2CE673D6489} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135161" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135161" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "900212976" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe 1900 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1900 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 404 iexplore.exe 2872 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2872 iexplore.exe 2872 iexplore.exe 404 iexplore.exe 404 iexplore.exe 4424 IEXPLORE.EXE 4424 IEXPLORE.EXE 4220 IEXPLORE.EXE 4220 IEXPLORE.EXE 4220 IEXPLORE.EXE 4220 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4924 rundll32mgr.exe 1900 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1880 wrote to memory of 4996 1880 rundll32.exe 82 PID 1880 wrote to memory of 4996 1880 rundll32.exe 82 PID 1880 wrote to memory of 4996 1880 rundll32.exe 82 PID 4996 wrote to memory of 4924 4996 rundll32.exe 83 PID 4996 wrote to memory of 4924 4996 rundll32.exe 83 PID 4996 wrote to memory of 4924 4996 rundll32.exe 83 PID 4924 wrote to memory of 1900 4924 rundll32mgr.exe 86 PID 4924 wrote to memory of 1900 4924 rundll32mgr.exe 86 PID 4924 wrote to memory of 1900 4924 rundll32mgr.exe 86 PID 1900 wrote to memory of 3404 1900 WaterMark.exe 87 PID 1900 wrote to memory of 3404 1900 WaterMark.exe 87 PID 1900 wrote to memory of 3404 1900 WaterMark.exe 87 PID 1900 wrote to memory of 3404 1900 WaterMark.exe 87 PID 1900 wrote to memory of 3404 1900 WaterMark.exe 87 PID 1900 wrote to memory of 3404 1900 WaterMark.exe 87 PID 1900 wrote to memory of 3404 1900 WaterMark.exe 87 PID 1900 wrote to memory of 3404 1900 WaterMark.exe 87 PID 1900 wrote to memory of 3404 1900 WaterMark.exe 87 PID 1900 wrote to memory of 2872 1900 WaterMark.exe 91 PID 1900 wrote to memory of 2872 1900 WaterMark.exe 91 PID 1900 wrote to memory of 404 1900 WaterMark.exe 92 PID 1900 wrote to memory of 404 1900 WaterMark.exe 92 PID 2872 wrote to memory of 4220 2872 iexplore.exe 93 PID 2872 wrote to memory of 4220 2872 iexplore.exe 93 PID 2872 wrote to memory of 4220 2872 iexplore.exe 93 PID 404 wrote to memory of 4424 404 iexplore.exe 94 PID 404 wrote to memory of 4424 404 iexplore.exe 94 PID 404 wrote to memory of 4424 404 iexplore.exe 94
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd6e7c396063517b9d82be20437cfcf_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:3404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 2046⤵
- Program crash
PID:4672
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4220
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:404 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4424
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 5803⤵
- Program crash
PID:464
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4996 -ip 49961⤵PID:3428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3404 -ip 34041⤵PID:2944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD56de4427d02d49cee2c46a8fead1fafa8
SHA1bee49bf0e4452ca72442face8e655bf4a8c3af17
SHA25646d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53
SHA512c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5a5d284455b1b1c8724f6ebdad4ff6193
SHA18ff12278e611384b6d527d4efd7700c1050d0b4e
SHA256953aafd1310a36c215517ec5eef00317bb1528c8cf9af18bfffa2b461280800c
SHA512d7701bd16836ef497a022f401c04e1631376b6f015a312d21bbbd05a0ef94b09e3f69e43f872aba7a55ea064398dba86a298c94e304ce68b74f266fec4c1d1e1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{612202A0-81AC-11EF-8D5B-F2CE673D6489}.dat
Filesize4KB
MD584097424583c026b47241b7ab2af2570
SHA18b580a543e615b210cc699eacb5b458fe0c4f9df
SHA2564fc698e456789980887225c41a87d5d4c66fb95f06b88ba36a7a11edcb7ea0f8
SHA512d528d210a104ecea23acb2ae740ebbe14cb210fb6b263c93492812322b11a1b6f3007a96753acb2efa191f719accbc1afeb847d4be45f845db1116d9711ebc6f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6124645B-81AC-11EF-8D5B-F2CE673D6489}.dat
Filesize5KB
MD5c8a0fcb25c24c32f434156d2386963e9
SHA14163f50bb3f886a0635bab40d9c69fc1079cd8f0
SHA25604d1e510bfed6bc2d2a8f2dcf6036332d9927df1c34e3b7705fa95d5b7bea58a
SHA51282d69e94b5a8caada01c24bb2377038bc12240d13118d7280e685d44bb568af2ac55d92529512d201b591855f88754b2f060411434c763c55eebd7d758f4585a
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
60KB
MD5cd963c64ad0bea4ca85a4819f6eefed1
SHA1d9cd6316cf3c6ce5ceec9694c2debc7b7981775f
SHA25633c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906
SHA512f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e