Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 05:59
Static task
static1
Behavioral task
behavioral1
Sample
49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps1
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps1
Resource
win10v2004-20240508-en
General
-
Target
49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps1
-
Size
902KB
-
MD5
49b3ed4c73d8d5a6613b725d40172590
-
SHA1
07e30496992d7087674cf5542c78856f66ff7737
-
SHA256
1899ff66b76a3f6302fea0afbc26c8452949345d2ea6d987b683c6a0037f22d0
-
SHA512
026c0a58a56747cbb9efab721382924d6da48c65483325ec868c9c894ff601a0461fa3674f4fa01c570635521cc6e7e8c96efe8765fcf68aa7eb713df988e2a3
-
SSDEEP
12288:aeeKC+CqCJCqCwCqC7yH5A7+vEeJaZkeq06aQKLI1XqO/bYyoSWjUUFy55576GYj:J
Malware Config
Extracted
C:\Program Files\Microsoft Office\FAACFA-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Renames multiple (6692) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\officons.ttf Explorer.EXE File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\IrisProtocol.winmd Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-48.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\MediaInkTransportControls.xbf Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\198.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\FAACFA-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_SplashScreen.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_star_Loud.m4a Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-125_contrast-black.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-400.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\FAACFA-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\es-419_get.svg Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoBeta.png.DATA Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_contrast-black.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymk.ttf Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\WinRTUtils.winmd Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-24_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-400.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-100_contrast-black.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-40_altform-unplated_contrast-white.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\FAACFA-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlFrontIndicator.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_File_Transfer_Failed.m4a Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-96.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-400.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\FAACFA-Readme.txt Explorer.EXE File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\FAACFA-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Hedge.jpg Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-125.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\resources.pri Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\en-US.pak.DATA Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\FAACFA-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT Explorer.EXE File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\FAACFA-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-32_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-200_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-400.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-400_contrast-black.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\FAACFA-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS Explorer.EXE -
pid Process 720 powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 720 powershell.exe 720 powershell.exe 720 powershell.exe 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE 3476 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 720 powershell.exe Token: SeDebugPrivilege 3476 Explorer.EXE Token: SeImpersonatePrivilege 3476 Explorer.EXE Token: SeBackupPrivilege 4868 vssvc.exe Token: SeRestorePrivilege 4868 vssvc.exe Token: SeAuditPrivilege 4868 vssvc.exe Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 720 wrote to memory of 1200 720 powershell.exe 84 PID 720 wrote to memory of 1200 720 powershell.exe 84 PID 1200 wrote to memory of 1984 1200 csc.exe 86 PID 1200 wrote to memory of 1984 1200 csc.exe 86 PID 720 wrote to memory of 4604 720 powershell.exe 90 PID 720 wrote to memory of 4604 720 powershell.exe 90 PID 4604 wrote to memory of 2212 4604 csc.exe 91 PID 4604 wrote to memory of 2212 4604 csc.exe 91 PID 720 wrote to memory of 3476 720 powershell.exe 55 PID 3476 wrote to memory of 3256 3476 Explorer.EXE 103 PID 3476 wrote to memory of 3256 3476 Explorer.EXE 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\49b3ed4c73d8d5a6613b725d40172590_JaffaCakes118.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u5djfphb\u5djfphb.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A76.tmp" "c:\Users\Admin\AppData\Local\Temp\u5djfphb\CSC672398843235458B83201CA5DA64E07C.TMP"4⤵PID:1984
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtdy4ien\jtdy4ien.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D74.tmp" "c:\Users\Admin\AppData\Local\Temp\jtdy4ien\CSC226402A9AC764C488E70A7C9DAF19D82.TMP"4⤵PID:2212
-
-
-
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\FAACFA-Readme.txt"2⤵PID:3256
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD537b9c16e6e1279e1b82ba070a5c13b6d
SHA1c2b8795128cac91557c812ae736f85ee34b0ca9a
SHA256e8ea563949cd77b3cdef1f8dfc8a4239988100038bf1c4b589bd2cfcb3c5e168
SHA512ea8d78cc22c49091b01fb30994dd0327fee364789baa0be6261aef4122eb6306f562caf965a2d27eb421e330759c9f77941495b93cd712c95cdaa1ca83cd15a7
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
Filesize3.3MB
MD5db789de9d645867afabc34641150c6f6
SHA179188d97584f5f5e6c18ccf5e67f80bbfae82109
SHA256f0870b670c3f056748361268bb843cc349869177ef170af35050b5d37f611d54
SHA51232fef866c6f7805ea6a8cd829fa5ceeb463e38a3d4f906c01d444f264f658e0a89f04fe2fb9a1fd6df19603a7838725dca89274fa22a22e05a547bcd0b224de1
-
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\517cfcaf-138b-1796-2cea-62892204250a.xml.faacfa
Filesize2KB
MD50d2c3c001b2a2a601324a49f1ff776c9
SHA1ead888bc43b0520f337a608b320223dd52e142d6
SHA256b7b835950627635ec411d0f83a094097c405546c8885cb8c8e1003aabbb8d9e9
SHA5129315b261ebc35f1d13ae773d0aa622abb3f3823bfec907251e1ae5f42bcbf74ad0e44c6f305b3af6e5b98e3f4bd54981b2b8a056a1fface8725a9ee1d3c48f85
-
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\cb692946-a9f3-639d-1064-a6d75a01b9c3.xml.faacfa
Filesize3KB
MD5c1e0559a6dfe85f44d5b168d3170403a
SHA183519e173f5b621bca2243aa92e3c979f3618090
SHA256b650916c10e11d07b55e4209aebde855c2d226725e8a619abd7f438f0970df7b
SHA5122070847fb27376b43610272f80b14ab39b2d4d7108ba3816dec34e23b7b01335d68d8e065141fd62f42ea80a804d32115c4ad9ad5fa74f8f910782294c78f83c
-
Filesize
1KB
MD5fd833ebc0873744e5ee7b4605372980c
SHA154bc36efc5df068acf51e0ba2763910eb9dde7b6
SHA2562c963bfae4e2c5887324541941f21d7f1ece1cda9e5b398dc962ca7f4745e5cf
SHA51235336fbee660027910ebb449a729ed3cf56e4d60652988f1a9215196da7aa2efc9684560fecd1b4884d8ae0d2a4785b7933812cefb62bcfeb827e9122d54d87a
-
Filesize
1KB
MD5c98ff4c5332b01b11e07de5112343299
SHA148bdfa454689a0eec28573b0bcdf7ca42621150a
SHA2569f6409c181287a1dcfd3be3a74ca3bc85851440a0fed1c04478db48efe74c6ef
SHA5120af6d389e1151dea92124eb25db8dfef69b34c4583129642b8f150a89a2d5f689b548481295f780f4420f5e2f46c0d4cc4a69a1685b81edd9a1aa33999a1f7d5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD59603571bab7bb0231ec3e44a7d5aa5ac
SHA1619163f114f03c7334b9ecb7ac41bf7c1ee1b2ac
SHA256db5eee56ad0a76364e20e05113509c510c811e6557fb26e76e579ae3baad9747
SHA5125eef8034d6bf6c218c05a73643600df331949bf32b654380cb59ab071e020357b55a90d9ed0f7ff4b287383ec91138deeb1ddb736f2ad4427ac119238943505e
-
Filesize
6KB
MD5809f4304dffbc93c59542e250ce6f8ef
SHA19be4a1de9e36ac19cdfd7cb2adbb275fd6d7c833
SHA256e2ff9b394b3b17e27c0389dfd62e86adf87f50dedbee893f6256035aaf3752a8
SHA512733e13f4cb1cbc72d9d6f2b76a8dd66ff107189c102ef1a4892b2e31b665aab4d18abe94ee3723aa68eedc68d81349e273bce402f464b4f0cf6a9efe219a1d36
-
Filesize
652B
MD5eb3546583c56664e11bffecb07c03e40
SHA1f30ef85033258c0cad7a2202fcf46c4890b0eb9f
SHA256b158b49fd36faef58bea6e0caceea25660663f503f4cbe8bdac74b778a777d03
SHA512053639cbb4f114dc4b899335b436e43c59e5627f8834ebd66b25114bcc1389c3e04d0554a02f34bdc8f6b5c3b5fe9e66c3d3e0ec2aad31c8e78e83155991b3aa
-
Filesize
2KB
MD5a743f528f761e35ac1dc7a017c5da581
SHA1e73fb085f518f6a5f673bc4714b976136bc21ef0
SHA256f8b1b7b2ce8d8b2ca62f154a633bdebe0b3fd778786d084ec9191b333b3f9636
SHA512373ef7d8ccfe75824e80fa7eac151021a4ca2e3e4ddb9aecbd01f61092179665e00216acd434c049bdf0d8c987fc3d9a570deb0017c71bd83e1f7a7a42038990
-
Filesize
369B
MD58741b42d41af11ceaf3f72398ccdc387
SHA1d43f513bf44a73e36943d6b36802e81096b60b34
SHA25606ad2c8e4a4bfc3e9e4f32918a968c7a0063bebbcf01382943c6c330a5550389
SHA51295e9f2911777b354ab6c2d08ad25bb9cd1f3583184e11fc08c184c6f3bff0c8240efff306bb2f8d30f41a1749325476b4f91b46ede422ef76f7f43fcd0b7b5aa
-
Filesize
652B
MD589bf2797863c97b5bd7b70ec05a10b63
SHA1205aab38c3d64806d103365e17544b0d4b8a7328
SHA256cf31e290fb7c1ac02533bc60c7a65996549c6356a8ef0509efce004560099ca8
SHA51240473e8f5b8a577d965935c9ef6ca9ad9bf7c8fff018503cbdc68a03dfef036cbee1b35ed4ab42324191d61094ab4ad9bb5a8c94f6bf9647c0db5da70deb78bd
-
Filesize
8KB
MD5a6fdb1be50d474af2e6256b67312df1c
SHA137e6afca5aed0ffe685f420c086b8deb5101cedb
SHA256fed2ae961915149cef840afc3f89abd70494a58a4000748299f8a43581697cd4
SHA5124e0ddf25074533850d0b0339dd4a447202b824b67a3ca949c87a270db0cb5d5bad1301f739afa1ee98075cf3e3e3abd57b9aa72db6b8cd479a77904ec42297a3
-
Filesize
369B
MD59ff6c2f7d96e339d47938e62c810978b
SHA182fc1bb9edcf861586429546c4ad44e34291ddfa
SHA25674c05b85bc28aadfa2bcf0063b0a6f20497775befbf8eb0ab1165df078b8073e
SHA5124295a3c9b0ebc059aaad03d6c97d63a303dce623e4651ecc4203c33187f174b5e920e6c9ac7a2b1eec34a5d5511f9ce879d2365d3a3fc6470b89cd30d6b09ca0