Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 15:39 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe
-
Size
95KB
-
MD5
7ad116ac37e2f0968dd423edcdb5dc52
-
SHA1
c336a92233ef1338cd46cd88c62238f7b3a45d27
-
SHA256
21e80677ddeb030c34cacddf936bc5791e09e73f467012c22a8ecc2a21ee13a9
-
SHA512
43b25586c7bc82c71543b20a3c275981dd07ad36eb817155298ab78ee8886a11eaf6c824150a639975704e2988ef527ad04587c1f43cbc4e6336492b5fb08317
-
SSDEEP
768:U06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:KR0vxn3Pc0LCH9MtbvabUDzJYWu3B
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 4876 WaterMark.exe -
resource yara_rule behavioral2/memory/4484-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4484-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4876-22-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral2/memory/4876-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4876-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4484-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4484-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4484-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4484-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4484-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4876-36-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4876-37-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxBAA5.tmp JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3944 628 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443941496" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5A3D4C5F-D559-11EF-A4B7-D6A59BC41F9D} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "782373647" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "782373647" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156582" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5A3FAE7B-D559-11EF-A4B7-D6A59BC41F9D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "784248314" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "784248314" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156582" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156582" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156582" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe 4876 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4876 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4188 iexplore.exe 928 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 928 iexplore.exe 928 iexplore.exe 4188 iexplore.exe 4188 iexplore.exe 2108 IEXPLORE.EXE 2108 IEXPLORE.EXE 4488 IEXPLORE.EXE 4488 IEXPLORE.EXE 2108 IEXPLORE.EXE 2108 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4484 JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe 4876 WaterMark.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4484 wrote to memory of 4876 4484 JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe 82 PID 4484 wrote to memory of 4876 4484 JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe 82 PID 4484 wrote to memory of 4876 4484 JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe 82 PID 4876 wrote to memory of 628 4876 WaterMark.exe 83 PID 4876 wrote to memory of 628 4876 WaterMark.exe 83 PID 4876 wrote to memory of 628 4876 WaterMark.exe 83 PID 4876 wrote to memory of 628 4876 WaterMark.exe 83 PID 4876 wrote to memory of 628 4876 WaterMark.exe 83 PID 4876 wrote to memory of 628 4876 WaterMark.exe 83 PID 4876 wrote to memory of 628 4876 WaterMark.exe 83 PID 4876 wrote to memory of 628 4876 WaterMark.exe 83 PID 4876 wrote to memory of 628 4876 WaterMark.exe 83 PID 4876 wrote to memory of 928 4876 WaterMark.exe 87 PID 4876 wrote to memory of 928 4876 WaterMark.exe 87 PID 4876 wrote to memory of 4188 4876 WaterMark.exe 88 PID 4876 wrote to memory of 4188 4876 WaterMark.exe 88 PID 4188 wrote to memory of 2108 4188 iexplore.exe 90 PID 4188 wrote to memory of 2108 4188 iexplore.exe 90 PID 4188 wrote to memory of 2108 4188 iexplore.exe 90 PID 928 wrote to memory of 4488 928 iexplore.exe 89 PID 928 wrote to memory of 4488 928 iexplore.exe 89 PID 928 wrote to memory of 4488 928 iexplore.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ad116ac37e2f0968dd423edcdb5dc52.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 2044⤵
- Program crash
PID:3944
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4488
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4188 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2108
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 628 -ip 6281⤵PID:3424
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request20.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request7.98.22.2.in-addr.arpaIN PTRResponse7.98.22.2.in-addr.arpaIN PTRa2-22-98-7deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestapi.bing.comIN AResponseapi.bing.comIN CNAMEapi-bing-com.e-0001.e-msedge.netapi-bing-com.e-0001.e-msedge.netIN CNAMEe-0001.e-msedge.nete-0001.e-msedge.netIN A13.107.5.80
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request161.19.199.152.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request132.249.72.23.in-addr.arpaIN PTRResponse132.249.72.23.in-addr.arpaIN PTRa23-72-249-132deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
20.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
68 B 129 B 1 1
DNS Request
7.98.22.2.in-addr.arpa
-
58 B 134 B 1 1
DNS Request
api.bing.com
DNS Response
13.107.5.80
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
161.19.199.152.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
132.249.72.23.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD57ad116ac37e2f0968dd423edcdb5dc52
SHA1c336a92233ef1338cd46cd88c62238f7b3a45d27
SHA25621e80677ddeb030c34cacddf936bc5791e09e73f467012c22a8ecc2a21ee13a9
SHA51243b25586c7bc82c71543b20a3c275981dd07ad36eb817155298ab78ee8886a11eaf6c824150a639975704e2988ef527ad04587c1f43cbc4e6336492b5fb08317
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD537827a5b375c40c1d7c482099e06c5bb
SHA148a43de39625e410113ec4d2d3e355535c7163a9
SHA256ffbd974e64098b8a4b5abe5633fe019780fb5eb4fb52418810fbbdc50084ef51
SHA512e14bdded02c844462222ce326d91cfc2403f2fb164911a7b1401cb5dcb29c804383cf554304a5ea8465d743ef2f0fa78e6cba3f064dad02cd00076c1ac5f843e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5d91e88e8d1334460a77c58fcbc3f77f1
SHA1650f68ecffd86fd92ff07d814a83982bc29fc7bc
SHA256c478824bf07eb65c4613cb7be9c1ed9a97797f85486453d7ebd403979d55f25f
SHA5129086c5cfb6b39f633369a000f6e18d4bf9f4a3c4acc3b112ade5377ecdcc1fc507059fd9a487648cd1468b631f6e125e8c368acb5ac7cb379e89577bc778a793
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD577a20db8ab2cce5eb02c9ff5334bc8d6
SHA1e4ea91b78f2b506497688586fa5510d963b64090
SHA25673f358affb85d516fe66e27b98d841906fec357948f7ec4b02633aef72ddeb96
SHA512f5ed0807f13e2ac17cfb7be1d3178e0973a9339c3d5fc92ea844e92888593e0b825a3d2b4978a42f33ace9a4eb9d02992f91bd26e5d6708bc94a415c892ecd0f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A3D4C5F-D559-11EF-A4B7-D6A59BC41F9D}.dat
Filesize3KB
MD5a107862510b21e1d27700b5497aa7c14
SHA105701901029056885b54bb3d45a6ceff225dc581
SHA256fa55ea19532438122add52146a56fefca9ce93d6e2a728d5d66c3b61b2d93206
SHA512fb1c3c79e7e63cecd4a56e4725ec3edaf2c141cc7ccfdaf668f8a8627429b631049d531cbb689fe42e701715db7766f0c2b337ebf24b333e65665f44f6c3d021
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A3FAE7B-D559-11EF-A4B7-D6A59BC41F9D}.dat
Filesize5KB
MD5358f1e51dc553336763229184ecae304
SHA1f82211e5aebde726bb80dad84832d62e496ca8fe
SHA2560e080bc1338b20083fe8c1355bca812dd0b5937b59d2299e04817c8735a2ba98
SHA5123386d4b2369563e68ca1a227a00bba7450bc4ab720b406ef87dc47b052ddb0175d18bab327ab2bb52f8b3a02b70e3567c5d6c42b25ef0ef3d9b879753a15519d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee