Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 05:39
Static task
static1
Behavioral task
behavioral1
Sample
f79006ba2a3876ab9305195cc8d0c2f0_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
f79006ba2a3876ab9305195cc8d0c2f0_JaffaCakes118.dll
-
Size
200KB
-
MD5
f79006ba2a3876ab9305195cc8d0c2f0
-
SHA1
9d21ff94924ade4cfa131191a9a7024027e9beb1
-
SHA256
eb42d640fd9705235e742c0f81f14065aefdaae8217639ba14486d6ab8eb6fee
-
SHA512
daea132cf93e5e6ba419bb413613c35e24f324abb4ce5f403adbfe4a03d0deaa32db3848e2acc00b980d134c1cf9354fb151bfc4d713abe5066f55bb0f4fcde2
-
SSDEEP
3072:DOBOLWXivHYMzv2HvP5YeBTEEP2831Vr/rF8QOSta7Wefkka+4BCLUIXCjtmVlGJ:DOp8HpzdQOStKIdSUIXCYGcDlTVE
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2368 rundll32mgr.exe -
Loads dropped DLL 2 IoCs
pid Process 2028 rundll32.exe 2028 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral1/files/0x00090000000120f9-4.dat upx behavioral1/memory/2028-6-0x0000000000210000-0x000000000027A000-memory.dmp upx behavioral1/memory/2368-15-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2368-18-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2368-21-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2028-36-0x0000000000210000-0x000000000027A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440489455" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{293C6591-BB70-11EF-AD2E-6E295C7D81A3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{293A0431-BB70-11EF-AD2E-6E295C7D81A3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2368 rundll32mgr.exe 2368 rundll32mgr.exe 2368 rundll32mgr.exe 2368 rundll32mgr.exe 2368 rundll32mgr.exe 2368 rundll32mgr.exe 2368 rundll32mgr.exe 2368 rundll32mgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2368 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3044 iexplore.exe 1000 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3044 iexplore.exe 3044 iexplore.exe 1000 iexplore.exe 1000 iexplore.exe 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 2988 IEXPLORE.EXE 2988 IEXPLORE.EXE 2988 IEXPLORE.EXE 2988 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1356 wrote to memory of 2028 1356 rundll32.exe 30 PID 1356 wrote to memory of 2028 1356 rundll32.exe 30 PID 1356 wrote to memory of 2028 1356 rundll32.exe 30 PID 1356 wrote to memory of 2028 1356 rundll32.exe 30 PID 1356 wrote to memory of 2028 1356 rundll32.exe 30 PID 1356 wrote to memory of 2028 1356 rundll32.exe 30 PID 1356 wrote to memory of 2028 1356 rundll32.exe 30 PID 2028 wrote to memory of 2368 2028 rundll32.exe 31 PID 2028 wrote to memory of 2368 2028 rundll32.exe 31 PID 2028 wrote to memory of 2368 2028 rundll32.exe 31 PID 2028 wrote to memory of 2368 2028 rundll32.exe 31 PID 2368 wrote to memory of 1000 2368 rundll32mgr.exe 32 PID 2368 wrote to memory of 1000 2368 rundll32mgr.exe 32 PID 2368 wrote to memory of 1000 2368 rundll32mgr.exe 32 PID 2368 wrote to memory of 1000 2368 rundll32mgr.exe 32 PID 2368 wrote to memory of 3044 2368 rundll32mgr.exe 33 PID 2368 wrote to memory of 3044 2368 rundll32mgr.exe 33 PID 2368 wrote to memory of 3044 2368 rundll32mgr.exe 33 PID 2368 wrote to memory of 3044 2368 rundll32mgr.exe 33 PID 3044 wrote to memory of 2864 3044 iexplore.exe 34 PID 3044 wrote to memory of 2864 3044 iexplore.exe 34 PID 3044 wrote to memory of 2864 3044 iexplore.exe 34 PID 3044 wrote to memory of 2864 3044 iexplore.exe 34 PID 1000 wrote to memory of 2988 1000 iexplore.exe 35 PID 1000 wrote to memory of 2988 1000 iexplore.exe 35 PID 1000 wrote to memory of 2988 1000 iexplore.exe 35 PID 1000 wrote to memory of 2988 1000 iexplore.exe 35
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f79006ba2a3876ab9305195cc8d0c2f0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f79006ba2a3876ab9305195cc8d0c2f0_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d47ee88621d19857a46cd0d03e69a377
SHA13355b852dbc3f8d6eaaa06f186484eeea378ae62
SHA25637ab093eca140b987caf3cc63f1a78074e141bab10a625def27a45d15bbd385d
SHA512c40654108f2204c4c22e7b521f97f57a5d28cfb8fb9b4098e21a54d53d0082d136127dcc9395448b580e38120a511639659a8644fd9625bf2e09b394e56e1b34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52c5f3f57259d3d086cc971e2d3d22652
SHA1c0deaa5a164c8b7d3984ad60d26f138e719265c2
SHA2566b3137ea5b4270486a3f519bceb58db81d6559a4709c504d65cf86596655ae60
SHA512fac6a4165f45383d32bcd83992cc92b91b8dbdbb2cdc4a7ab85564518ad33433ed03ee6ca0d5773d096751483cda117ea5f5ed31e4e70a8458230979554b4e5c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58796f454e02556de4175a05bef4874c0
SHA169910c54da19f906df58be204ca01cdab9dcfca6
SHA256b952023045ae6db7afabd81991d66050826257271ae00e370dabd3480ca6700f
SHA512f2dda315d522b63f49d4c46d563dd2d1850da6bc5e225db1b83b3f0cc88f9eac70db7f8b97b86eba6aa357b765d4c92969a2137e99c4c3034d0390186451b67d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb5b7c3987c1070bf330c5655802ac08
SHA19a18d78cb7b9348fdc5d0f4906ecf4be3edcc869
SHA2569aa6c758faa50edd117b47819a329004a9c40a1e3218b444d6bf3c0d41b01235
SHA512ea8eb0b42081c861e47b198742bf3232d14e3f4aa273b938acc6636cba71b215d72e8ab55f8a120fa6decaabf8b5d5758228f8cedb7a4e2414fd374cdb364a3c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4ddaa875dbba5c14b5c35638e18cb3c
SHA10cd0a702518701e03dad2f07fc33f0516d32cdf9
SHA256d8e0c36115f55f7be279fab492def037153b29bdbc1e6778ffafda2558676346
SHA5128982451e0725e51ee789cae23e8b82a89f3beeca0ae05210429d8dd2bfbca4e7b1a8cd19a52cc39d80fc6b993d3586e39785b08b87336f4ebb6a5c10a646ca9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD577e83bbb6f0b2802065baddf8dc16785
SHA1f1475398a2484b0eb6a2ad0e605b6ff509b66240
SHA25663392eefda179dd16588e8a249180fef5fcaeba18deaa80007cd9c00113f9115
SHA5121a0e0768c6f5ef4dab11349b0de323b670fbed8a99273c85e35a8ba89e092c9a16284486ce08be239482983ed734775c65a1d08e89a63993596cb023023b5544
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e07057dccf9e275aca323d301ed066ce
SHA188d53dd045dd0dd388de16b29de8f4e70145638f
SHA25698a224de116bf261416126ec4a2c5de4f80a9783e4ae01bcc9d22e65e69e79ca
SHA512044ab32fa53720305bb0f69a2889988c2f0ed57f4af9cec501b67840d7503c665164710e4ddc604660cbba4273a703327b856b1465891c7e03cee356a402de56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52aabe151a82c13bbc458714c43cdc74f
SHA147c42d34484676a5230574c83c57c113cfdc9182
SHA2568b919e15f29961fd2252bb051da5e3e49143c414edff04629179faf52b291492
SHA51223083c01c0e080808343667f789313daeb801bbacae97f47897d405984e10e46317522c98ea31039ab242ec399f0b60897ec1d84da5ebaa16b0d79ccafa25e10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b55fd14931bfd1013643aac95af7fc1f
SHA131f832205103d265ff1d54e68d0193759d4e9dcc
SHA256a5b7d7e982be4fa4331bec940f38627c910da90121b5c581f43eff0fb378ffe0
SHA5120b6e6fdedcd41f05902e0b67f691beb5b57e3f87afb372db4ac10dbceed5c1dba1deded729b2b55ff17fdc9df99498743781b15f978c8c2c828af830ab32e8a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54175c8aa562e8a13973c88fe756e4158
SHA1358a242474aec30360a24cde893e2b79b1d6444b
SHA256fc2be6fe6003384ab0b9cb6cb6d3ce75a176d0265f464ec7050e97bcfccd4d2d
SHA512e99675ae2acd9d8d0abfc1cd768450c5d841b12fef87052661e7ed053b0fc39ffcdaeb4929cfbb8f6cf9fec6286b3cf43e10d242bbf36957247be6656399e9b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508efc65ba6c469657a9ff4a6ff52e49d
SHA132b20f40410f9977376e03a0c143ca9662d17101
SHA2568567e20ddecd41c7a430f5108a19f7d0fb49fa4211ba766a3fb87c3a4ad84559
SHA5127a801a6ac64e84ec7da898b60f4838e79f890b8ce6ab57292cda545ea661d33cecc04b615cb43bbf59e16479952c4f8d3a3c65e46636a38bc899914c3d175690
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b55285e31a825cccbfb3bb88d4cca1ed
SHA1b1eb2588fa18681fbf389a3f2dc7ffe3bcda8544
SHA256cdb9d6a78a5b3bdd4ee6e2946369b9be717838170f6b37673daac3e4f4b8eff8
SHA512d0ec733550a75a382f3c72259be0388addc9d3901a3e2e1d75586b306cebbb154d07ee3514b8a0bb18d915496b8d968f8f8c373d1546517e49517e088429e7ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c40ffbd0e30ee9916d9aef0c9cb10b12
SHA105878e8628b2b9db417cf9923c1255bd903ee8b9
SHA256eb45b7ba4f5fa79eaefdffd0512e6aca35d1e8358463cab0379317cb4c1db9b8
SHA512f049d0cfa6cc28fb1816fcf29025f76fd886fea9b48c7997fa41ca7464a969f28d87a7bfa86819dbbc3b25415b2e0bf893aa7cff2ef3e156d94c34bde9dd737f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b03cc6409a27052d4bdb4354b35c20b
SHA182237fc8e9c68e2993c99a89706014da154cc5fb
SHA25691ad198c833ccb231fdb94f5e60fd2633e65c1cd6d7954b1338b24724a4332b0
SHA5126aeb1763bc2f1e716e4c8f32de79c772793332d4a92cf4a2299daab64bf73e853a755aea1a277579bd2d10971c2946e97a884915fde26150a172ea57b3588028
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc5191926705495d5f0e097e0708087d
SHA16a2a202f4b1c7dca1a37e7e48b969598a70a233b
SHA25635a17e5f7812a86ffbb66064511a6b829e432a233d69ffcd7a6f4789a81b7f67
SHA5128b6c0e7b70e5b35d17f3537730cc3a17bf11c038f489f2e38797b2781bf8e92d04694725519997a02811cc321c9c6e7c7f233fa9660559b210197a37ea2870ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5103fb6db2e844f2a0f2cf41a9c09d9db
SHA187e82245d0ad1394995c612f25e657dbbb048da9
SHA25668667467326c00f05e067a1546908d46fe4cce4d36bc8ef8a72c00102a366f9f
SHA5125367cd23f1d1fdbc5271e8c52a7e971ec413925908e7b74dddd31e93e8da4be33706eb2c4b5323e12eebf3a0a5aa83477402dbdf52320c1f705bae36304f1bd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c0c9450f598539f79673a7a9fb1d128
SHA160b1c3926c8d8aba80ea1e43d3c92f4a9e980f66
SHA2562e362521e24f2b7381c4cb9f2c3dc08af955db856b96577262432741ab9fb878
SHA51262d8839445a19664807e98662bf9c739772bf059a7db67cec13d9a214fe4f2eae0ab795524e9dea0aa7a199bef8ae9a4023461ed09e70d383ee8832bc95e40fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b3327f304144562fe96294b5b422685
SHA173afdb483eb65a65ec7fb710e26ad1f291967f52
SHA25601a8f41e77d27ad186dd7487a7beb8dcc1b06295af6c6e9d4eca4d426caf5e56
SHA512a1c968df3797c07e0a24869e07c4ae516d5739a68b6f910d0513416f1b1a8993357090b43b26e8c55bc39c1fd3dad2e202f1d28adcab2be1317e4f7197b556c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d4d7384c0d7650ca35ad93597211516
SHA18027055fb9cbc7b75e69317c992a9ed22ba433d0
SHA2562c5c80758c3d25c1964c535af583da4827e4a4b32fac1f8d29790775854d5fac
SHA512411f2959b4787e50900aa1620e060f7155f519d9e4c7448ad570cd9cdcf8939e42ef6c72911520e9a8844af1d78ff5b2d665d211c856ab23c3046801705cdb43
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{293A0431-BB70-11EF-AD2E-6E295C7D81A3}.dat
Filesize4KB
MD5165eafa416eb346a69b05f602a62a51a
SHA1ce985a530149c1aae45b661f6bc868101f5d0c8d
SHA256e296651f939a2b406f62152a4108483ef995f4990d7665828bbb5e02fd82c163
SHA51287871b6e3fa51e6fbdd16e032d6d3411f44904bbc1d45a3031ef714fb48c9e6a232c4cb5b5a3030ab743e8245b9cfc369525aeb51971e5ad754f0c286cbc1b44
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{293C6591-BB70-11EF-AD2E-6E295C7D81A3}.dat
Filesize5KB
MD51676d4d28982ed090d5a51c3f14a89d0
SHA1574a5550bd322d7403da6dc5639e783b2aafde29
SHA256703f099546f431b94ac01deb695fc53a4a0f4ef3948bacb35756f4b10b14ef9c
SHA512bb8ee17c439abdc44b145cadc5ceb2ea7d9a181f062e64c17613730112335e87b5dd27bea38a9d09108fcae03b43a9f1515cc68663ac4d4672fbbd44da438398
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
101KB
MD51f92a7cf627f4c7d554d28326f1da954
SHA1b7befe20fd68856539347f0650473b6dad504863
SHA256fee6b0318f0ba98b8df448017226ad900167f9d7cb1d21d603f5da3022f29e00
SHA51207c8d54b2b68f11b9a05fd652f0dc5b3bc30de58eb20537846763bc011e64496c0636a8e37abbc96d07a6ff9c304141e38e8f0453760d48f753343eaa319fec5