Analysis
-
max time kernel
150s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118.ps1
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118.ps1
Resource
win10v2004-20240802-en
General
-
Target
cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118.ps1
-
Size
908KB
-
MD5
cb6cde58d5a246fcef6a2b1f9ad96dbb
-
SHA1
1c311562eee808d0af5270beb9cb077893efb066
-
SHA256
b3dcd6e523ce44cf15638ca1f0de17554758f38ed8b7e7965b868fd28cb797dc
-
SHA512
d2cd44fc69252fd3de34497d753ceb5db72e28cff920a2d649456abf98e57d232dedb982e09a5954532389f2cad5a0d986c1f1c0512b0a6f16a470110a5eec59
-
SSDEEP
6144:y/WXp13E8LFVy9KrE0zxiRgvLK9HvsG8todmCn4q/FVv4fTYnGu9TKC8+3KI:y2rbVvdtqzZdKC8+3KI
Malware Config
Extracted
C:\Users\Admin\Searches\4F7D92-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Renames multiple (6821) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlInnerCircleHover.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eye.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\rachelVaughan.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-200.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_rename_18.svg Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-125.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsBadgeLogo.scale-100.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\4F7D92-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Star.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-48_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_settings.targetsize-48.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\4F7D92-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-lightunplated.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Content.DATA Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Microsoft.Xaml.Interactions.winmd Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-100_contrast-black.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\SkypeAssets-Light.ttf Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ja_135x40.svg Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxl Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\4F7D92-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-125.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\complete.contrast-black.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML Explorer.EXE File opened for modification C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-200.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview.svg Explorer.EXE -
pid Process 4104 powershell.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Explorer.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4104 powershell.exe 4104 powershell.exe 4104 powershell.exe 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE 3516 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 3516 Explorer.EXE Token: SeImpersonatePrivilege 3516 Explorer.EXE Token: SeBackupPrivilege 2380 vssvc.exe Token: SeRestorePrivilege 2380 vssvc.exe Token: SeAuditPrivilege 2380 vssvc.exe Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE Token: SeShutdownPrivilege 3516 Explorer.EXE Token: SeCreatePagefilePrivilege 3516 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4104 wrote to memory of 688 4104 powershell.exe 89 PID 4104 wrote to memory of 688 4104 powershell.exe 89 PID 688 wrote to memory of 2164 688 csc.exe 91 PID 688 wrote to memory of 2164 688 csc.exe 91 PID 4104 wrote to memory of 3252 4104 powershell.exe 92 PID 4104 wrote to memory of 3252 4104 powershell.exe 92 PID 3252 wrote to memory of 4136 3252 csc.exe 93 PID 3252 wrote to memory of 4136 3252 csc.exe 93 PID 4104 wrote to memory of 3516 4104 powershell.exe 56 PID 3516 wrote to memory of 21936 3516 Explorer.EXE 107 PID 3516 wrote to memory of 21936 3516 Explorer.EXE 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cb6cde58d5a246fcef6a2b1f9ad96dbb_JaffaCakes118.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mjlz45fl\mjlz45fl.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C4D.tmp" "c:\Users\Admin\AppData\Local\Temp\mjlz45fl\CSC9780523AB30E499EB1DBB7A5D13A313.TMP"4⤵PID:2164
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0lc3qphp\0lc3qphp.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D18.tmp" "c:\Users\Admin\AppData\Local\Temp\0lc3qphp\CSCD8537F8769B74967A7C1E9A180B41142.TMP"4⤵PID:4136
-
-
-
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\4F7D92-Readme.txt"2⤵PID:21936
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
Filesize3.3MB
MD554d65ef224e9ca201c74f6e2028c69d0
SHA1226bbb450ca7f37b4438a6e57f07976be0f1dbb5
SHA2568322279d5c05fae8e2b27581a9adee99b31f1bcae59384ee752335af23eecbe5
SHA5124fe449d28b8315df20a89c869eb633ae4eed7464a2f7404d3d14f83a2291a43c45da2d4dc615f782ec53acfd777aec474677cf38ca2605ae0f6341979adbd66e
-
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8cfc804a-d777-2361-1670-4569e516397e.xml.4f7d92
Filesize2KB
MD5619e55d838cfd27c1df9ac3ca7420f5c
SHA1425d55a3c805c9a7d7b9c80f63e471d4afde1915
SHA256f7d94a51c9cad2a2e3c469a6d0424d5cd4baa9b0ffac79ec74c8e57dd9f9068a
SHA51234f6438ce65334b6b6b235e1aebb6d18fde26576d9e9c1827a1d385813941360a76cc67b3c321113b617159c449ac62c90ead402e07c2e7db026dfac66bfced9
-
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml.4f7d92
Filesize3KB
MD5e7bced071a8e269f065fac9c39f85d91
SHA1cae1c6201423337c4426e9ab9ba0db03782ab2fd
SHA256492ca5767c7dd1aa6b2ce1bc1c5b1a0f01e72e897afeb722b94c4bb5005a7343
SHA512a935f6e573bfd77752e7254fa7d656f05c28bfb77d80c728439d100faf0f96190a825fe66951458ba31f632fdceb5bf9295af83dd17acdc6bf8a46ea07f73c9c
-
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\f8dd0907-0dc8-3c5d-8345-cc7a1da52eb7.xml.4f7d92
Filesize3KB
MD5c8d8a81931c9960d4056702ca3673a05
SHA12892aca841ef186e5b393bbf6c666f8dbe09da6e
SHA2567ddfe2ff850d52477548bc782f3b2815d7689e0b3a801d6b1cf912f729621ce4
SHA51214503235fa5a9a376caf24e2ee5b60a5447e3dc9194ecad743059753e9060c41941a742b071d757831aeb7e7e445006cf2702e767dbb536b41495d6f6fa2c0cb
-
Filesize
4KB
MD50f3f2d7ca9f4583e83ca21df4c671b24
SHA13413b5314974f1fa55b911fa44eb2e4ebb7c839f
SHA25605868865838d6b2d72156d49caa6c70ceac0b039a99be804304f0d40b87046f7
SHA51226d13a6affbeab542e540236125e75077828726fc263f1b75206c096eff223536e31ff0a861cf6fce48d2ff243a162246517e58d1683a023d58d9ac9b0a36517
-
Filesize
1KB
MD56e58f0e432687eda1c89066157871338
SHA1c75629d51208f3aa4c4a9e4af304e50c49ad2c7f
SHA256b982326a4def4a391d24ebb709adefecb0d5e5061963adc3b20bd19e1daa72f1
SHA5129d10766424620fff2287af972fe58166d25b0c541ef78389556c60f0c6c68e088cb297195cb1cdcf92c3c8050aa26715512341da5fba5f1e4b11131d1fc07792
-
Filesize
1KB
MD5ccbe5dd7fd4ace9b64fef0544439dd18
SHA10f6f77488bbf7a964dc570405d66ad4d5e805224
SHA256fc32b5c5b83e983e3914162afa4efa312293eb188c5744efcfedefc3276cb876
SHA512c5247e4bc95096765082ea108aefe98b14cb841b232ffe8e57184cc1e58a5ea53ba7e252ac1399639746d2ae5b8ba0101744c338193892ada24523115bce99d3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD53a97aef741c6d002f6722d4c4d9ed9b8
SHA1b8c34edb0dc28362bf2db2a195300922a521feae
SHA256cad4415d49a09dccf24181775591a5021df6ba74593f4746a5639f0e0314d770
SHA512201bd8f3168a6d2a30e8ec2e19573512c10d949ba89449f3685c7c6089b59a50d4d08f17c3c8ffcf9bf9edb03b08868eb55dd4f83c6acaeeaaae8ba2094f0789
-
Filesize
1KB
MD58998443a510ee7d3b26e2c2b2b4219e7
SHA1e706049475f6dbcb08ebf0fd356e5508422e7966
SHA256d43b3b68739b48897482b10b75d4e55246b1e8e86d23a11db0e5bf81adcb6741
SHA512dc1b60c617dc627dd8f99d0f6a60f63a28faeb18f2d6089ba109e2900557146741f544d94d3870f1d7c6446cff8e43acd2d8a17532bf1009da1ea07b00b44f5f
-
Filesize
2KB
MD5d491bc3537450532785880e98f087e97
SHA1bf5a817e3776cff4554c03206159c54717ca09f2
SHA2567e7bd87416a61d72128f5c5bdeb3b3054631393d22acfd84bc0a351e4cc6b491
SHA512ebbd7f91049304640f30697cadea49eb8f69a26dc1581dc2e58fbf16421769ed5df67b4fe4bfc1dd6c58367adea0449c52aa26c0286e7ab153c6571b7fd59856
-
Filesize
369B
MD5465a3678c23652935c53357133914166
SHA1f47681d3d8c3f42ae1139a23e9e204e3bcc729b2
SHA25638ba95d21381200ca73402c819937b6e4b77dde7e4d39c97d15f31d9dced56ed
SHA5125ba2776405e46c0bcf86b3418711ad5e0c8c342249dda03cde7ce2755951026e330577259b20650cb4fef68480c86f41a94a6d7a6f7d54a1a158fa54add6989a
-
Filesize
652B
MD5e506bf8f2490b097b99ee5dec3473369
SHA15b102195e657c8764b72cfcf7a98b72549afbe66
SHA256ff12e3ec5696fbc4ba4c5f5cd131db802250b9a6f308b5ae63067c2dd50d3442
SHA51201ae5a476a02a903e737ec573c93f85db6a6eefd879cf0e530ac5add808235f6fe19594110ae1f4c5d73eef320f6dd955129d7400bab938bb7c086b626204940
-
Filesize
652B
MD526da31a1e2c49c042817f32c17994e62
SHA18fe459c720056728c2fde7916844c3ee5eb6bd9e
SHA25613b16014ad66cc158434b960edf10b4ad9cd3633eac9ff314ae3623b5da683b8
SHA51266b56be32967585e2d9a028497143517bafa7af09f78f30fef533d015f53521a73a2819ea60b8a1e0363932814e08049944b664fdf60e8f6745670300228fb74
-
Filesize
9KB
MD577db487c078b0fa51e7fcace9b258cf1
SHA1f73dc69329586dd07c5f4e273c03ee9164dc4936
SHA25620a335545d41bad6dd654205fe7e8e38c807634307edc4463661f172d8b575de
SHA512471f92bfb9a32090fa925e4cea14b218a290560e27ec5726ae65b8999293eaf3bb0f7b1b45595076a93d1406d00a5b61a1aa0c2b79294f355ef6df0f25f36cac
-
Filesize
369B
MD5625ffa4a69314e32b72d3b62b2460cbe
SHA1d858d399317261a778dbc333b19dd0010f98392d
SHA2560ede440ca7fbdff032cf875f2fb1b2f50260bd6529f95956400398f7e4a45809
SHA512e1c0dc97dbf6e84842bb082ad7a2a7d6281cf4860e3134b6b9af0e734a94973f1810072468453546df4e90e8fdfc9986ee0c287808e25b42a1db5d9d009aa37e