Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe
-
Size
371KB
-
MD5
d0c9cde6f5ad0af2666aebad26e363b9
-
SHA1
799aa6bc3aa8bc4b97bd8360a2ff21db3c54c834
-
SHA256
e709fbb8d14c11e567d5b6e82f9378a8eb9358fb5499f277acec2ac713932891
-
SHA512
8a2558dc0c43cf5248d262aee5bb3f69a99670191f373e49d0f290130f67b0dc1dfeed4d2a01db963526102e875340ec12568f1b6ac291efa2157a6f8bd714b2
-
SSDEEP
6144:LVZdkKATJe4CFfifD2gVKVTQQ249HZ52KTh9XKOCgLJacj5/AZtRsTo:L9bXgr8VMQDT52WXKq9fj5/AZjo
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Program Files\\Sys32\\windupdt\\svchîst.exe" server.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate svchîst.exe -
Executes dropped EXE 2 IoCs
pid Process 1964 server.exe 2952 svchîst.exe -
Loads dropped DLL 4 IoCs
pid Process 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 1964 server.exe 1964 server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchîst = "C:\\Program Files\\Sys32\\windupdt\\svchîst.exe" server.exe -
resource yara_rule behavioral1/files/0x000b000000012270-8.dat upx behavioral1/memory/1964-16-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-31-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/1964-33-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-390-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-463-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-464-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-465-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-466-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-467-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-469-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-902-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-903-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-904-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-905-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-906-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-907-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-908-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2952-909-0x0000000000400000-0x00000000004C5000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Sys32\windupdt\svchîst.exe server.exe File opened for modification C:\Program Files\Sys32\windupdt\svchîst.exe server.exe File opened for modification C:\Program Files\Sys32\windupdt\ server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchîst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchîst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchîst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchîst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchîst.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svchîst.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F41A5981-B458-11EF-869D-46BBF83CD43C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c32f037a7fd274bbd7928cd726674da000000000200000000001066000000010000200000003ab215a0f80d778eb48e06e02ff1f1e30c58fa591e4473645c581db5d75fbf30000000000e8000000002000020000000cbb90299a918bf4748e732465308882b639ba09d2cc616bfdc4eb97a6aa642bf90000000199073761423ee4adfefcf92014aad168f6fb3192e2d710a78e4cf932bde56a1e450341cec25c36435326122b2cb2e1948ede726df6e7891bbac3c70627e74597e0fd768e40e45e9c3782851dd2215a125d310afb061ec7411070d9dd0723a1bf160a30ffdc648b769325f14da71e79e7a0c9ad9c507f49bf67f2e1f4b022225c0e1070b02ca1e73a27a770a44efd76b40000000f8eb3e4ad2391449a84359cf246ea525f6aa249d75a594208f2583f8efa71879df4a2e41fb9a82ef6917d221107ead1bf5d7e3e5d8e7b5a6039dac4528a22466 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439709829" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c32f037a7fd274bbd7928cd726674da00000000020000000000106600000001000020000000873c2d372a358600e96c0ba90b3d4ae63f7ed265c0f216e62bc90bdc5b4f9e25000000000e8000000002000020000000c2e210a67a0233c763906ad504a06ecbb82f331ba955ec1a6668153a9275863e2000000053f1402e681b644ae0c745032a1a5db8c90032c410d5806c8d54e050b18bf4d140000000dbe24d8891ed6eab5116582a637e8d8b8dfcade863889cebec83197b53e7039b7709b42ac18fe49ae1da16b86b2748b773b12a776eaca0dc9dbb350c467e68c8 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ffb7c86548db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2952 svchîst.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1964 server.exe Token: SeSecurityPrivilege 1964 server.exe Token: SeTakeOwnershipPrivilege 1964 server.exe Token: SeLoadDriverPrivilege 1964 server.exe Token: SeSystemProfilePrivilege 1964 server.exe Token: SeSystemtimePrivilege 1964 server.exe Token: SeProfSingleProcessPrivilege 1964 server.exe Token: SeIncBasePriorityPrivilege 1964 server.exe Token: SeCreatePagefilePrivilege 1964 server.exe Token: SeBackupPrivilege 1964 server.exe Token: SeRestorePrivilege 1964 server.exe Token: SeShutdownPrivilege 1964 server.exe Token: SeDebugPrivilege 1964 server.exe Token: SeSystemEnvironmentPrivilege 1964 server.exe Token: SeChangeNotifyPrivilege 1964 server.exe Token: SeRemoteShutdownPrivilege 1964 server.exe Token: SeUndockPrivilege 1964 server.exe Token: SeManageVolumePrivilege 1964 server.exe Token: SeImpersonatePrivilege 1964 server.exe Token: SeCreateGlobalPrivilege 1964 server.exe Token: 33 1964 server.exe Token: 34 1964 server.exe Token: 35 1964 server.exe Token: SeIncreaseQuotaPrivilege 2952 svchîst.exe Token: SeSecurityPrivilege 2952 svchîst.exe Token: SeTakeOwnershipPrivilege 2952 svchîst.exe Token: SeLoadDriverPrivilege 2952 svchîst.exe Token: SeSystemProfilePrivilege 2952 svchîst.exe Token: SeSystemtimePrivilege 2952 svchîst.exe Token: SeProfSingleProcessPrivilege 2952 svchîst.exe Token: SeIncBasePriorityPrivilege 2952 svchîst.exe Token: SeCreatePagefilePrivilege 2952 svchîst.exe Token: SeBackupPrivilege 2952 svchîst.exe Token: SeRestorePrivilege 2952 svchîst.exe Token: SeShutdownPrivilege 2952 svchîst.exe Token: SeDebugPrivilege 2952 svchîst.exe Token: SeSystemEnvironmentPrivilege 2952 svchîst.exe Token: SeChangeNotifyPrivilege 2952 svchîst.exe Token: SeRemoteShutdownPrivilege 2952 svchîst.exe Token: SeUndockPrivilege 2952 svchîst.exe Token: SeManageVolumePrivilege 2952 svchîst.exe Token: SeImpersonatePrivilege 2952 svchîst.exe Token: SeCreateGlobalPrivilege 2952 svchîst.exe Token: 33 2952 svchîst.exe Token: 34 2952 svchîst.exe Token: 35 2952 svchîst.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1528 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1528 iexplore.exe 1528 iexplore.exe 2844 IEXPLORE.EXE 2844 IEXPLORE.EXE 2952 svchîst.exe 2844 IEXPLORE.EXE 2844 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3068 wrote to memory of 1964 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 30 PID 3068 wrote to memory of 1964 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 30 PID 3068 wrote to memory of 1964 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 30 PID 3068 wrote to memory of 1964 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 30 PID 3068 wrote to memory of 1528 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 31 PID 3068 wrote to memory of 1528 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 31 PID 3068 wrote to memory of 1528 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 31 PID 3068 wrote to memory of 1528 3068 d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe 31 PID 1528 wrote to memory of 2844 1528 iexplore.exe 33 PID 1528 wrote to memory of 2844 1528 iexplore.exe 33 PID 1528 wrote to memory of 2844 1528 iexplore.exe 33 PID 1528 wrote to memory of 2844 1528 iexplore.exe 33 PID 1964 wrote to memory of 2724 1964 server.exe 32 PID 1964 wrote to memory of 2724 1964 server.exe 32 PID 1964 wrote to memory of 2724 1964 server.exe 32 PID 1964 wrote to memory of 2724 1964 server.exe 32 PID 1964 wrote to memory of 2952 1964 server.exe 34 PID 1964 wrote to memory of 2952 1964 server.exe 34 PID 1964 wrote to memory of 2952 1964 server.exe 34 PID 1964 wrote to memory of 2952 1964 server.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0c9cde6f5ad0af2666aebad26e363b9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:2724
-
-
C:\Program Files\Sys32\windupdt\svchîst.exe"C:\Program Files\Sys32\windupdt\svchîst.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2952
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\3a59a0f61dbd.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3a392347a05fd05e5b4ae8bf4c0a944
SHA1dbce23e30c667e17bec757e9a514a8886c1f73f0
SHA256b3b00aff6870f9ab6112b2993368d4bce52bb0330dd9d8a5de582b8e493b1f47
SHA5123cdb8bcb70fd04b8f2a32686094319f78811bf95c688cba8a4ddf45b17b98b485b64e71ca643a7f8abe2a1b5645f437b98cc48624eb58ba8fbc9edad66eccd0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b1d5d6606c87aeeb04e083334cf276a3
SHA14883587fb43e5d1b1fc5dedc0379c09728ed2619
SHA2569f95c1b09fffaa0e9f86bc9c9551623f3809304eb8d6b7b77c6e300fc1514b6c
SHA512b0845c3cb099bb93217e8b0c6c1fb78c4eeee43cfe4e0bdcf2cbeb784bc63b5c828cb559dbc4b8de7baf644035a5659f8074a72ae34a3053ad8d0a91a6eafd9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a9ed6b38039dc0aae88ba56d4d599c59
SHA1ec9faf564ad216fc07eea0bb3d9b006e7f4d386a
SHA2562634bb3ca07b15fee9c5ce9409a1c544c6a09bb4432c5ed5dbe770c2a09fd417
SHA512e366d6717b09a51ce0786a980ddef1ad9dc92d99f2314f48a250c1f3a681c793939c01cc8e80260c9485c3c793089abfd92c7593fd6cbc1ec1e7e28e144033a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5603ba40847ae59ed97f6c533c2af9d7f
SHA1d0abd4318a0fde223d0700e34fbfe90d3278c575
SHA2564fde60e86fece7c0bc12ed9ae7c129edade1f04df71a9e3e730e25a08c486452
SHA51218aba028fd68cefbb0da2f20932fd8e1b1a847102f1213df7a56c8f5ce4919de2ab6c731e53f5bbfa8b5e9355640e005022f457d432e48d2f397b49bcc31d23a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ada6a79a83ba773406cc4084edc7317
SHA11c76405ee9d10588a9d52a21ba61f8db206a235c
SHA256eb629364bcecf6acb16aeda80100b4e433768d58a18e5a19da11083dabd3c741
SHA51236404a04e18777add096b04e87488ce8c84c3a25d338db933811f8cae70a8dcc9c7de603993d6bc6e2f065d343027882d681d2ebbdcefc97e87d49c25b64c84b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD501688e35f5c22998b605531d3961878f
SHA118ad0871481b5d64406dc387c781204016383351
SHA256c72bd828583479efe007171ac9eb365f5daec220614c5b033d06152637075c3d
SHA5120f2b5da25baa506464b21b101d351e707d85786e44adff602fd2a011b61ae5dfb6644423c75928283a80140fb8d501e773bfd9c0aa2e547d9f89a8d8a159d1ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f4b750bbce004ab08e8e9c71ed7ce35
SHA179f10a65e14497d72982f06d835264b0e9892e62
SHA256a3e18afe5376806527f441881a07eba18c87049c8a926bcef80f52529cae5159
SHA512d2aac5da02d9ac53ec8bafe6a908e2e7f80176fccc3ecc7ed32e4df362695c604f28a10b4774198ecbf91bcec65e8713b72ef724cc659d501b3e1f3a3d3fd302
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD515ea0d4b02c50a75177fbc11cc6d2587
SHA1fa4b7918bdc16a026a3828c4b44cd186f613fc04
SHA2561d93e287239fe3564fa54d33c9463ba4c0943dae369b8b1e30d61c4f049edba8
SHA512106d67ef05476b885f749071676c6ae2a9f0ed9de4277bf03d4fc995c8017ace8ebe38749bc38622905977a0186b726e0035a3a772715138a45665481100edd5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52c2240debb8a8fc5ad2f9098655332b6
SHA126cd5146539b24075e13af08b1d68ff788c08285
SHA2565821c4bee3765b4dcd8cd7c90419cffc3cae5d5a3bbba67af1007658fe28d62b
SHA5123be5273a6b8480d7f44955a95771a56e1fd42edb087be32ff6518b3b1005bc7623962b0ecf81d8d66cf1b4b1c383b456109f7c0a6b0cbdf4166f0a9d92c8e87c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf2a6ebdb92c51939ca5d11e4526a94e
SHA137fe0b7b40756fb43493cd167f676138a39c2ed5
SHA2568cab7add61a3c7ec242640191b1778449bb1c92bd7376ebe63c5c0acfb9e98fd
SHA5127a3976e9fe71b49360361632a42ad1efb34b0377c2394cf5b59a739d98bb9b9bcee048de3178fc7327bab05be379ca7f8f519a6a92a13fd86fc057db38717248
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5100d854d459a93c088bc956e605a9d76
SHA112e82b8b647c7b0d2b1d62e454e502e423bef992
SHA256ad6001ece7ef4a913e4d1012b2e439b2f0f16f1ed9e1ac3a76cb88e93982a8c8
SHA512e55b4130f7b0f2cc743e1d106fa89f02ee102265a2b91a6401033d54a7a9d8cf32a156a41721a7f89e55811a220d8a660fdac115dcbaa9013a73adcbc38cb890
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c5b94ce5e6db454a8c38f10605ca592
SHA1439b3a3c77d5fd22998c97a20b8e4fe97b7c9d08
SHA2565f0c32cd964997ebbd5f9bb269450f7803900a16783bac7460bd5e54cde09102
SHA51296e99137e632226e538ff5a16975164f0443033d59f3a33f23e3b21ef74bfed80cbd8dc252bed48cab0c228a0bdf0f4a8a90980c6dc97a5081c003988722db01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e71a4f7625d5205a2a298a7b22eb304c
SHA1ee8ff256ec3c6aa8c0ab32077ec1502ae028f573
SHA2564a690e509d1bcafd13e185f23b9d4e4f4d189b9dc7c9c75f23eda8dc51bb937e
SHA512ba633a96c7d50fc52382e6eab8fb958a7801ea1375078c70a66af150a7c5ee59441721d670e3fb2ee49cc4972ea232e0f7a40511561b396e49d55c6268beb143
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b83414c7d0fc9759300ee77f9308a45
SHA1ceae0d78af0c615ada08d3474af4960be9a75a18
SHA25684cefda823aeae62c48f36beb8bef478ca7962fd74965a4b8ccc07de70067bad
SHA5123852a55097020b6cc60c7a2efc9e48f6450835c29af85ef5a4c3b7625b33b1f425d5f685f7d3fa23b955184aca32b76bf7c786931fd20698dbe96d3d22f45177
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a5c8069a86495594fcbb5f6ba891e8d
SHA15e1f4267ea8d291c7fd761b3920e7057e9f25a69
SHA256c72d091e79cbd78609c6834f8b172a3fd0fe84b4ded3e9bcd5a55eea98317c07
SHA5127daa92ae38cd83446d12b06a202f8b14c406458e4e61c5af863f9c9b7355e79b256a217010598fee2e328840275196b1b25dd26940367053ceafdf361deb8a79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e1c2d1f5ec4a6a6adf06628088aabbc
SHA1846507b6bd1f23e125af459a7752f1a7ffd3985a
SHA256a68545bcb9c7aeac984eca1fb627d6bb8f7a79d5935800140a28d9d5a4a6496f
SHA512b5d055f7d27bae4a5baf2227df9edecfd8d73752b32bcb0694d55f260bfc89f6a28792f48295cc70f115246f721efadb60cced2da99dd3571b860b620bcd7d9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567e3df9b7045db772268cb11f2c526ef
SHA17706f996d36fdf301ca0849ce3462120ea7c94c5
SHA2566529f8c1dff25936fed4679c9f146991e6887ec3d9b073f7369bc8002bfc4e04
SHA51241fbd6ccf568ef207eee67672b302b8a249b5dd7b4c22302bcafa8a6e6e25f2d916d27a09d81b3d8e24e5e4d4f05cadc16c95924c5debfbf2a008f3ada7e6d81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5acb79a208e5f097f0ae2280af9bb0e39
SHA1d8872622bb6c5e786d0445c06fc39888c0075095
SHA256decb1a259d8398ea23bca753c9c8db273f5d9bea7022f829f19e12aa2bb8ed38
SHA5128db6786ba64451457a42f85eb175da6be03a7c06f41fad39c8c5d1577834f1e45f5d4b3c3c4bc27e277878623ccc4b08a615972bd1d53291864f85301398f4de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b818ab7259baa50ccc18a9f1fb32096
SHA13591c5935831f863b369498a0e11a220bba22245
SHA256239a7e3c6decf7fd99fa2a7467ba2bdb878595f04e351b6aeff20baec556e79d
SHA512c241341ddd15e501795745c90a857543b3c25a1d3ce4ef73a86f629908ec12942ecdde7f31db6bd61c5dcd147fddddcc40e3086ab3b109553302fcd907b53ea1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57adc5c9072ba5748bc0185f66f9b6430
SHA17da0f609e3884f263212168d1802da99318bb7fc
SHA256e74122d394b5768adea9739831e456f3a02a33c7d8cff2d508c7d5300fb5ba21
SHA512608dedc5dff25bd1235d64837fd6b024f8d86a773a79e5b06e82349ab4e0afb3eb752d3ed4e92ebc348a50f90611d8319aab4d6d7263de2b5821b459b014c0a2
-
Filesize
3KB
MD580488340cdb819016bf9dc201c8827b6
SHA130937d432220406714d58a11872d8b6bd81046da
SHA25674d5b991020a9003ef108e34192afac1d66b5d42a6f4653777508073edb26ad4
SHA5127e299ce63eb83111e8987c9111dbb29ce8cab61fafb74d811ef1353367036db156d354ba7cf2e8ab6e923d74929812cddc74a93dc6863a304a1fb01bab77beac
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
320KB
MD552a9e1572e9e1ab39e923b120e99a56e
SHA1cc65aedab9a85fea2951ee8710a71df5efde1360
SHA25676cee4187d7d27fbafce5515fe488c055861c226d0670e5097713d8343ebf86d
SHA5127c29c3d99c112b1779adb133764e45de8b8afbedb6dbefe5eabb15a3f392e7953f44c945f1782003d74b2d891c173e585eed9ef0f560a3ec1d703e155774257b