Analysis
-
max time kernel
93s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 05:56
Static task
static1
Behavioral task
behavioral1
Sample
f79e89a0711a923d6c65ba893f8f4191_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
f79e89a0711a923d6c65ba893f8f4191_JaffaCakes118.dll
-
Size
96KB
-
MD5
f79e89a0711a923d6c65ba893f8f4191
-
SHA1
1dc38c3467823cc4434dd34d95b7bf08a38b4452
-
SHA256
106943d35578ea72207bbb7df6733a5bcebc4c99c9aaec9e752caf2cac841408
-
SHA512
9a1dfb174b02d6cd2d6626b761d6810fb20b1c0344f9795b6271c3e20b6623962b24c282c3b90932fa0012099c7998b5878e7f81180fe0da36b83723c71b00cd
-
SSDEEP
1536:TiBIdkwPKXBTRJV/sE3IXmKcnb05pDnR3ruPycZzGreQsjsQ:uGd5SXNXV/smxnb03day+iU
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 4528 rundll32mgr.exe 4308 WaterMark.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/memory/4528-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4528-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4528-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4528-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4528-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4528-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4528-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4308-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4308-36-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4308-37-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4308-40-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px9D78.tmp rundll32mgr.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1028 3116 WerFault.exe 89 4964 1588 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31149951" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1305964339" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31149951" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31149951" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1304082603" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31149951" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31149951" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1305964339" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441093557" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{794541F0-BB72-11EF-B319-DA61A5E71E4E} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{794A06B4-BB72-11EF-B319-DA61A5E71E4E} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31149951" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1305964339" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1304082603" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31149951" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1304082603" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1304082603" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1305964339" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31149951" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe 4308 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4308 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2376 iexplore.exe 1356 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2376 iexplore.exe 2376 iexplore.exe 1356 iexplore.exe 1356 iexplore.exe 2972 IEXPLORE.EXE 2972 IEXPLORE.EXE 32 IEXPLORE.EXE 32 IEXPLORE.EXE 2972 IEXPLORE.EXE 2972 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4528 rundll32mgr.exe 4308 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4128 wrote to memory of 1588 4128 rundll32.exe 84 PID 4128 wrote to memory of 1588 4128 rundll32.exe 84 PID 4128 wrote to memory of 1588 4128 rundll32.exe 84 PID 1588 wrote to memory of 4528 1588 rundll32.exe 85 PID 1588 wrote to memory of 4528 1588 rundll32.exe 85 PID 1588 wrote to memory of 4528 1588 rundll32.exe 85 PID 4528 wrote to memory of 4308 4528 rundll32mgr.exe 87 PID 4528 wrote to memory of 4308 4528 rundll32mgr.exe 87 PID 4528 wrote to memory of 4308 4528 rundll32mgr.exe 87 PID 4308 wrote to memory of 3116 4308 WaterMark.exe 89 PID 4308 wrote to memory of 3116 4308 WaterMark.exe 89 PID 4308 wrote to memory of 3116 4308 WaterMark.exe 89 PID 4308 wrote to memory of 3116 4308 WaterMark.exe 89 PID 4308 wrote to memory of 3116 4308 WaterMark.exe 89 PID 4308 wrote to memory of 3116 4308 WaterMark.exe 89 PID 4308 wrote to memory of 3116 4308 WaterMark.exe 89 PID 4308 wrote to memory of 3116 4308 WaterMark.exe 89 PID 4308 wrote to memory of 3116 4308 WaterMark.exe 89 PID 4308 wrote to memory of 1356 4308 WaterMark.exe 94 PID 4308 wrote to memory of 1356 4308 WaterMark.exe 94 PID 4308 wrote to memory of 2376 4308 WaterMark.exe 95 PID 4308 wrote to memory of 2376 4308 WaterMark.exe 95 PID 2376 wrote to memory of 2972 2376 iexplore.exe 97 PID 2376 wrote to memory of 2972 2376 iexplore.exe 97 PID 2376 wrote to memory of 2972 2376 iexplore.exe 97 PID 1356 wrote to memory of 32 1356 iexplore.exe 98 PID 1356 wrote to memory of 32 1356 iexplore.exe 98 PID 1356 wrote to memory of 32 1356 iexplore.exe 98
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f79e89a0711a923d6c65ba893f8f4191_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f79e89a0711a923d6c65ba893f8f4191_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:3116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 2086⤵
- Program crash
PID:1028
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:32
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 6083⤵
- Program crash
PID:4964
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1588 -ip 15881⤵PID:4924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3116 -ip 31161⤵PID:3988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5cda3a1245093d86501ad9761f10320fa
SHA19ff6b95b0a72732f8afbd9504fa640bec134b498
SHA256eb60e5aa4327f06e072f6b97c6a52532aa55d5a5dc53e1d48ecced85da6214dc
SHA51251abd474d484588dd1cdc5580cf28d6a5d0481a4488f1f5b8a491c4f30ecaf5ba8cffa9c9ac696358d6725c6e290e8d28d2e3984d3d55f0ae496a65bc4142a1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5114e1fa7471cf819b4c48034ff706401
SHA1e3d1cf82c98053b0474f42698ba1353e7503ec6f
SHA25617e8decc49fe57d3e997c27abf494856490f4b37f7c2088211d527ee008d7fb9
SHA512b4ac9a408f44a4548ad3168f8bc6bc7f445ca5c37c9d149afe7266a270baa4f29c6184bf20356020db8495a4de5107e975ffc880e8e1b4302d72bd0f4aaf91c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5b0a2de73ae910a0527e8652d9f29ef2d
SHA1ab23d24d7a5a72615e537cea23a1d5864463f1e4
SHA2563917840c9980cd5d536e4a6385816b407dfdf7639aba04bd258aa2d6a12c2f1c
SHA512e70f8e301c767e7fecad62fbc50967bcd7f2ef8da9de7dc3f51a702f252b19602d5fc1f4a7d43c41f4a79dfd567e219c7e5e6750b3b13404a1bbaaf5210b0624
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{794541F0-BB72-11EF-B319-DA61A5E71E4E}.dat
Filesize3KB
MD5ba663836931cfd82dabc14bbc5d37f1f
SHA1bc9a564c254a254b926acfcb39aeb270a6ec821a
SHA2568ab5f5dfafa8870daf2618f33ab5826ac03e67c745fefaf8359e4f8615955215
SHA5122ab4621190145c38a5a64f2b6b210caf96f05d277443741b544b5dd40b3842c59b3c15173da4a60fc8274ed82301f7ff05e17b781515b3342155ac69d782bef8
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{794A06B4-BB72-11EF-B319-DA61A5E71E4E}.dat
Filesize5KB
MD547a845893c6ada740af89dc58a54adfb
SHA1b885df402a7b4e781b279edcb4a41b79037db0c2
SHA25613a3d0dc5da52740d7a158b767ef1ace22811f1965ffc4e818558189eecb3129
SHA5129a34376560ad5a149f636f470a27969830b74433850d41228f8c625b3e88229b1c9a0c6b656a837d0df5955e1c593a49a232e58961982ac80e1eb8ade79691a2
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
60KB
MD5cd963c64ad0bea4ca85a4819f6eefed1
SHA1d9cd6316cf3c6ce5ceec9694c2debc7b7981775f
SHA25633c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906
SHA512f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e