netwalker | 4f7bdda79e389d6660fca8e2a90a175307a7f615fa7673b10ee820d9300b5c60

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
Size

65KB
MD5

eaef25ab1f59492ffc735a386294b69f
SHA1

76cc795c39cc19465c24825dc5ebafd7f944ea7e
SHA256

4f7bdda79e389d6660fca8e2a90a175307a7f615fa7673b10ee820d9300b5c60
SHA512

a812186ff05baa0c194abc2b4becc145f312b885068773f994658ecac2bfd8e1c85acdfe3774728541ed966f46a872d19fee17a53cc07f3f8e2e94be0cdef1c4
SSDEEP

1536:kxZab6DtoaWM7pgUJJooLrIZadXRM0CFU6InWU1dil:3GDtDD7prbooLrWaPM0hWai

Score

10^/10

netwalker discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\1B9799-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b9799 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and loosing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_1b9799: QWJoU71VLbXJK0MRfJGvwByEL7RlG0+WDDZ+MMIi9bRdz/CcqA +fiv3qF8efgYy7Xhs7OLO3tZnuDjZjTCEZF+/KVR4YYdtFurP5 y4SZlxtVjXma3uqo1fAndGetsFzWtiD0O9s9EU0iTaO5Cmhj4l GPdRgBvqGei2fp0S2FH19v3f8edb6CRijN1WekaMvqr8LasozW PRBYvJhhsKWBO9P9ctt8RKIYociTXhYwCEscZY/C5Kur+c9vva 2hzkPR96WXLkjV98teRSlRzteKeBMpw/vl8/48TQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (6810) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\TinyTile.scale-200_contrast-white.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-black.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\1B9799-Readme.txt	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48_contrast-white.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-2x.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-80.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\LICENSE	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_contrast-white.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\resources.pri	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-20.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_backarrow_default.svg	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\ui-strings.js	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-32.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-125.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-high.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\1B9799-Readme.txt	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-60_altform-lightunplated.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\ui-strings.js	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\1B9799-Readme.txt	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.ELM	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-100.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\1B9799-Readme.txt	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-150.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\1B9799-Readme.txt	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlOuterCircleHover.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-unplated_contrast-white.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-125.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\1B9799-Readme.txt	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\nb.pak.DATA	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-200.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200_contrast-white.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\1.jpg	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\SourceAppService.winmd	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Toolkit.Uwp.Notifications.winmd	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.QueryClient.winmd	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\1B9799-Readme.txt	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-200.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200_contrast-white.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\1B9799-Readme.txt	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exenotepad.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

11936 taskkill.exe

pid	process
11936	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe

pid	process
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
Token: SeImpersonatePrivilege	408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
Token: SeDebugPrivilege	11936	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 408 wrote to memory of 8920	408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe	notepad.exe
PID 408 wrote to memory of 8920	408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe	notepad.exe
PID 408 wrote to memory of 8920	408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe	notepad.exe
PID 408 wrote to memory of 1416	408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe	cmd.exe
PID 408 wrote to memory of 1416	408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe	cmd.exe
PID 408 wrote to memory of 1416	408	eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe	cmd.exe
PID 1416 wrote to memory of 11936	1416	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 11936	1416	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 11936	1416	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\1B9799-Readme.txt"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\39E7.tmp.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /PID 408
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:11936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\AppXManifest.xml.1b9799

Filesize
3.3MB

MD5
47f88b9f92f9deaf1ad0d0b451fcf6d9

SHA1
02b2f78da42d272f8649641030f896040f14df3d

SHA256
0a8860c16cb77076902c628b518544e3ce4e999a745069c8f7f4c04baa826a8b

SHA512
9cfc0cd6468405f1105afc9c097411c9d405dbce28f8c545058a2652a01a8357a1a5b5d70ccf50d300536802b2be96ec366f53b885bcb66b6bc1533200561f94

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.1b9799

Filesize
910B

MD5
80f5d76c538061186161d99c59792d1b

SHA1
f30bf1ddfc3f326e634b6dfd5fc633302eeb28ea

SHA256
db7da76a3754582ae709bec847d36ca5a585e52db29604f1f80246fba84ee69b

SHA512
549479dee418581329754918768924b7f99a07ad687cdcaaa2af0d920cba402a8e156a309081b26639f25c3208d2b526294b36f8195da6fda5949ea9dbfe615d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml.1b9799

Filesize
918B

MD5
742a3f5bf60f874f421bac6743564682

SHA1
cecd259352291ca33d49a02457203644967969a7

SHA256
ca254ce7255b2b8e7cbaf78c877b8f404fa68e00f180ceb55130b001855bf32e

SHA512
a4d9bf5315e318c8caa18e4c572e1e9aee5819f68f6c93f3e312c76ee7adc882b61d189c4078209f79314961e34d796552538eda6a2b6420410d7f39d9bfce08

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.1b9799

Filesize
2.1MB

MD5
8978f4d1ceabbd47819fa9fe0c7cee09

SHA1
ea6e1808cd884fab7ef569c5e40d1592117e5131

SHA256
669448836aeb20f73e61f1c7f4bf2bf33f358ccb6f1c05de3b87d74d534cd34e

SHA512
1fb7e8f4f11d7d4d9d1d553f580bc5336f91a3a0114dfcc4421fded17a1e473fdc2c2d9a2d9f9ad4a7ff052c109dd529be2019d0f1f8d11ebfc22c948ca18995

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\en-us.16\MasterDescriptor.en-us.xml.1b9799

Filesize
28KB

MD5
7c20ea094bfdd989261c64447da189a8

SHA1
20fa29c0c6072e7b1656c133ff6449c5e89d04bf

SHA256
6a29201888267ab7d9110449efa40f6ced53fbd83bcf6edf9efd21042a317049

SHA512
1ccb52261ad4bbce32751735917de6d25072965692f5c4305a3b579fcf0d186f019fe8acaf86e555f2f2a01c86bdaf7413129002c9903def61aa2cc443c6420b

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.1b9799

Filesize
16KB

MD5
9b488a5eecbbcf716c5d90c5224c2029

SHA1
25a5e3218251c8b6201344e8ca8c9b20dd433171

SHA256
bdf839cd967dc05e1d383399562f11d7761ea8c2e88755d93ef0e30cbba4a0e1

SHA512
d49719dd55b6066876965c65404fda1e6c7f9adea1e3977b4022dabe469830635803be0816e5227ad79678d0f0b61ff3bc67e0da14abda1e0f0f78499ab4992c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.1b9799

Filesize
150KB

MD5
7bab3c7998741906e1d8eed85a526576

SHA1
29d746c299829e1d9d612d411e2eb082ed238618

SHA256
1c9d62c9f667f9527017db3c5250464bbbd95b75b3b7d3fe6a8c517e26a3a37e

SHA512
a2bfd660b14bcb623f4c3b935278c5ed90057833b55f0a76f5004236b0be00417d7debd77da527fd8d8db4bc00d5dbfd744581eb52251a019dbc71d819178178

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.1b9799

Filesize
1KB

MD5
af1d0d1f4dbe5e548346d44ad9bde8fc

SHA1
495026240bbe26326d98563f703cd828ed005978

SHA256
a587e68161cd96d142b80fa67eab68b9a192a632978120d38b9414ae1a623ca6

SHA512
955416c253cc68e27ec9440c129698281d31b2670008b896bd02b824454677a19d26fffdabff74073bc1dbce09e77d9da515a5a186a3a2d9c98763f707c3024a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.1b9799

Filesize
2KB

MD5
f19d6df69767157c73da91cb5f14d011

SHA1
7fd57c1039918ddf41ae67f108a5a3bf2104267d

SHA256
8fee59e00e20c7a24451586f8fb107551d22c8c4376393932ea836c39ba80df7

SHA512
9ba4350a2281bf4706c74550e035d7d26cb8378eec76c90597d4fbe96ae58f98cdb562d9cefcea9e6eb75700042c2822252a9081312d505fb63413e0ee71f319

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.1b9799

Filesize
98KB

MD5
57125b2ae333c25d254266bf26c01e72

SHA1
1f75adb4ec575d3d700780fb85119c419a1c5405

SHA256
20686b471d517f2beb166444af97ff89e4e1468382ff2f3be8a7183db8f01691

SHA512
510ca6eaba001e3f5abaae85a7848ad84c4cd2c620733c186a4362f9188cdac7d6b711a878f435163cd2f160d670b418b6df27ed8bad53ba4dcb7a959667fb38

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.1b9799

Filesize
31KB

MD5
b5d2b945a86ff7258ec89be4ce35ddd1

SHA1
813114f463f495786196608ac372f4bbd3c76abc

SHA256
31ed6c59478591590053088c511eda4a6075366b89d495d1bc24e4f1556f6b5a

SHA512
440ec0089f8b3b946087ebf98429b4226947a0afb6d323c3bb72f2bd0a66c57bf2a6a42ec805498fd3a24605877d11130778e7cffef5dff914e2ef6aaf98240c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.1b9799

Filesize
109KB

MD5
0f3a081d1e81bbbb9b680c3c3ad58585

SHA1
4473b367f3fb7101b0b991bdcdc30bf5f985163a

SHA256
dfa4ca4ec2a466dcd39a71192ea0dcfe32f28230c9be35e060c0419fe6be5375

SHA512
55006a466463672bffde48ef1673169890ade18612fc8eb8bb6a33262313073f6d3eb427d1d000cc5b06c0186c905e41266211ef8e0dc4e2f4b90b603480d196

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.1b9799

Filesize
14KB

MD5
4862d525f97904a6270bafe03a2efe69

SHA1
089e7c0bea3608e6997b5af097b898b5c731f8e7

SHA256
739c183075cd1ccad6e2320f262b1992afb67b35dee36be467c702bc6d4ebcde

SHA512
4b33245567de9b55cd4db18150e1230819b18461c074417b926747c9eb7041fdc1eeef20e7fa34dc3f01674218779c5606117bea76ed76d7d29b437357922543

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.1b9799

Filesize
25KB

MD5
2442c27b4e615468e7f6b5db54750701

SHA1
c2a8aee2eb195dc970e076f05acd36065bb9f510

SHA256
89bbf0ca3d43cac54cb88a537af0a7a916d19d3e59750e80f74411da543d5631

SHA512
61e83879142b345ddd9e1018f2f3bcae0b2cc1aed7734838bd90cb82a1d24fe2e168e6a9311599ed627b71e3110c0db158e525f4b45e39f736dd5423229ab0e5

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.1b9799

Filesize
24KB

MD5
d74f14999d5fa89b126697280921e0ef

SHA1
3ce83860f108f77131ee06cd322c170f79965b62

SHA256
06c91d3b52ab0a8470d8a7b84a2866eccae3a21122b4ae7a70f81b94a29b8181

SHA512
ef5ba1164e3c9c3e8cd4b42ff90df5c4221a3a696bc928cb7296fd26e0c02cabd805fde6b62ae6ed459ba41d2426dd619f0836328e32daa259912c972cd8695f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.1b9799

Filesize
24KB

MD5
994c17caf0ba0b77123304e48f8036b0

SHA1
8e51aed3b3e94a9c01587bc3d5dcae1ed4d7b605

SHA256
baed172ca2fe700dc2d5fbd974419d3031395dc24d7941da8de422cf93661982

SHA512
397198858ca8536a2617b3779381e7ae89ebe7b054d54f581611badc44bf4b90235fdd25d7734bc7a8af1d00bd5431ca4a1142cc76f18277fdc4d5008d1ca042

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml.1b9799

Filesize
9KB

MD5
1215ee19308f028d94bd5b6a35616454

SHA1
eee34b74fac64d8d8f76bb4cf91d74bdb0f8fbe8

SHA256
ef6dd90cd21fc8d98a5450a6e0600e8e93458123b229f2c9920617731e021fe8

SHA512
477e4dd75f84cd7026bcd684c17215401ee8c695c1cecec13c4d826314c6d67ab188861b63a8c89b4a1a483b2a2237fa700e7c1ff2e76b3e2409ae2552ad0c43

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.1b9799

Filesize
39KB

MD5
d9fbcd00bf1eb417dd836afdfcece6b3

SHA1
66e64f0e2564f9b7c4d235e81dcea788bbb8a8e4

SHA256
88d78aa6a26920b75496f30f776590c9db2dced4c0c5dc8b1216eb52e4ab2007

SHA512
eceb8225c1490c64decde5990136b0bbd4e2d847427ffb0dd7885f8fa7e97c00192819dbd6ab44d5b34beea2082dd43069f4c0f66d885affd08a3a98d6576d9a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml.1b9799

Filesize
16KB

MD5
ec780fdb211deb2592c37fb8f45e1f2b

SHA1
d0b693f6ee4429c1ee664402c4d4d8215ce73f88

SHA256
0c11319cb0d96ed4d8d2ffe268bf546d04f1fc1649e7fc7cfdac7eff9f809932

SHA512
b30da0e70faa76ee7449b6d0db91b4b0e52c8c53777ccde5700528dbc3e14320f1d539c1cb049ae68d7f5b5efabcb9e771a8b67019a36399a75e1714c01b875f

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml.1b9799

Filesize
331KB

MD5
4e4a1e146db1ecf3056b793af89d8c85

SHA1
e1b047d249214d4b03657b7bc40f1c728bd9340c

SHA256
8f8662633bbe7b46e789c2b2c9c7a1fdbdc12f9470992f12fb1a4dc2f2de756e

SHA512
d6bf50b8f24c586258d5e309d9324f64e613827e1356e2747c7ae3f894a2270eded12485dba7b1a9a0e965a61133d8e9c15ae1bebf4ba0fd9d696b5d9b073c1a

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.1b9799

Filesize
122KB

MD5
9e258f7f4c0f84ad72bf2a0f897dd4f4

SHA1
a120698452dd068b10722825262760c4ddc9279f

SHA256
c3a50640f810cb10645fcc64d0f75e618ed7e0a85a081cf4ac7c3d671cb161d5

SHA512
42afcb0820a989bf586a22c1e53cb57f6224b7a020860c5238706d08ca8af5c3a978d0843788c7580d87fbed38dd9cd28cacb05ba499487c32364c9c76faa155

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml.1b9799

Filesize
2KB

MD5
0e5d09b50911590e37956791b5c5c26b

SHA1
d70424f6a454eec23d8b9c0412bc7e909cb6ee44

SHA256
89f31e86cf5926bb3472202db862310637bee24f046973938e67e3d21cbccdeb

SHA512
2a685798d192ba5141d339bc135ea82a771ab1ef00ef4cc1e3b5843b701bbd96ae5f907d757129deffc186dd93813e65fc8c2eb17256c9f2086a9e60001f2b22

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml.1b9799

Filesize
18KB

MD5
bf9a03a8ba48c5e90c19a678c3f9fef1

SHA1
16a653708befab40e825f293570b21696bf1447e

SHA256
0c7bb2aac5babda9a2e5d401fac0d313a31315d699eee908dca68ae04694a2d3

SHA512
5deeff6e27692073df22c7f52bf78a3a78566f871aca2e624f8528ed2621df27afaf8d2d53d1abb517b851a4ba407d26459cbe3791ef7bf5c31cae7abeb8500d

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml.1b9799

Filesize
11KB

MD5
0b7db2d31a3b5e7d3c5bdfc35f66c115

SHA1
1ef2993788ce01dab7035112dd1f83d0e35e6342

SHA256
1caa3ab897f343f05608972084fd3e574d49abbb2c45f010eb7bfb60e723c295

SHA512
cff7664b95b18862597f56d03fdd176d253d44e33001fc9416fba089ed95c5d27a52ebc1b97eaaf4baf01b4ba6a919272c6510bd0a57dfc3f9f1256ce2fe49f3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml.1b9799

Filesize
11KB

MD5
4889ce0cc0a34aa145ceb6be924ec5e4

SHA1
001d67c358ba3086515a681aba56491ade8cd2e9

SHA256
dc3de833b1ef993aa3f552263c85548f7e6b1549b263e436d94197db2b080a99

SHA512
8750de0d740253e0f82d63d04c17e6e8f512071197de865ae50faf7d477bfab2e10d8db68eb1ccbb35df9fcab9237b206fb996c668e1857a1922abac8b5c6412

Download Submit
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.1b9799

Filesize
27KB

MD5
7a5aa651d5c1f7f043f4b3633aec996d

SHA1
b1107a10279157f2674581f3936a3f04f0382431

SHA256
391d7ae024caa0f036c404f53f45fbf25a293ec9d6740b1d08d33c0c95c23007

SHA512
9f3f6e0dbf96826845a4675ae61b743d86f27ae47c47a516fbd2fbd90ec09c2613226f334057369601b4006066bfa6b7a11d25d5c29a5a5b4018d4f7e82f224b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\1B9799-Readme.txt

Filesize
2KB

MD5
5a586ce39a61ed68c0cb989cf1df710a

SHA1
f028b89077860542a94c51205f8283773e258b8f

SHA256
823b62062c12c2a86122c8341fc3a34d680075614772e194216efab325341557

SHA512
6cc38bc5d8585a8a76bca7545b48acdc80ba1278849586f66c4ba6c23351748e78d03b3829c6618094989093a039af783e889bf672cea214fac8591772a2887f

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\03f8974b-362e-33e3-2e0b-c7bc2ea01c63.xml.1b9799

Filesize
3KB

MD5
72103b02285d171fcf8c8dfaf965bf3d

SHA1
200e84e9aae67d07044a180c64c13f70105418f3

SHA256
f5236101bcb0a21ca435f5af9ee44de213da2b47294ef72570f502663207d754

SHA512
a5947e313787b0d89a59b33b2c8a367acb54a77008575b1305d895d4557694a292db772ab34fcc97e9cd9ebcbc9c2dc3c48bbd2ef12bcee4f4f4ab7bc3a4d214

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml.1b9799

Filesize
3KB

MD5
154fc5d3a65bf4b83db5641b60a18a97

SHA1
6d6b9fd8a12f1719d2e7a40735b994cba9019d4b

SHA256
4b238ff4280a8ef74a87ab6268535027e9d634a5018a091e069379e631f47938

SHA512
a5c49ee1c4ebc350bde407a853c3766c9c30a608437fc70fd69528d69dc363bc9de61db276ae037062defa1003734686bfadd8592c3ceac9d49ecaa4e7ebc38e

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0891dc5f-1cf8-f01e-4d1b-4aab98d2c016.xml.1b9799

Filesize
3KB

MD5
496aa05aa78cb37cd44f2406807daa66

SHA1
01dc46c9344fecd343170131f68301571f34b7ab

SHA256
d667942c47981adf821297a5b3a4c4157a6f52366eacc6e8e1fea097954c6555

SHA512
9de4ba522430a59bac986cfbe4b57ef0b43c670886d385b60179c98151aa1cb7cdbc21d9ba6dde058dddb0ea3d1f5f251d3ea3d3a67475da52d3d1dbc316a880

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\09ec127d-8158-a906-c12f-44a86e3e994f.xml.1b9799

Filesize
3KB

MD5
729fffdeb7be23c70508e8a2afdb21fc

SHA1
848cd456e2c1c61e689e40784ef39031212eef0d

SHA256
42b153d2c3f5704fd39063901914da24240fe9f516c82057a65fddb6f802806f

SHA512
a0451a23d09711601b6ee3b43b28c2e7205dfb71af30e635d24811fb81f0ce712da83849354623a259cbb2f16b3620da123e82b869a61f10b360c0dec080b74c

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml.1b9799

Filesize
2KB

MD5
eef85493df677557dccee9430a6ecefb

SHA1
d7d63cab6a3f660427ac5c7b04bf308bd63b077e

SHA256
8fdba052a9a9eee85a92407bd9d09f320670a443701e2230cf05b38e9511a44d

SHA512
60a7ef16ebc15365dc883e71bd62eeaf79d5c22f49c4350224542a10a14e507f0874da0671323c0fbf5f3566769380df7c9f1d65e99fbf9561a1058588c81b69

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0f8e2cd5-b8eb-7a22-b9e9-9b1183fa0a84.xml.1b9799

Filesize
2KB

MD5
17a204f73dbf9609a84ef42b42b73c7e

SHA1
4c082e3a09ccc5fd755bf7af110c540671fcfa81

SHA256
155eec4e4d2aad087d0a59d2116c0513e79e55e8edfb02805c236a9a995b54c5

SHA512
c89fe3817964a4a827f1df6c69be7a3bbe446050278c9a0937cbc8b5e62f0fb489f82e079f462f9f76cc472161db24a7cd9f75865903f3ece9bdfab38f245669

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\13ba8772-845b-29a1-ae9e-fb2793ccf4ea.xml.1b9799

Filesize
3KB

MD5
adac38b57d9e0be067be533e8087dbe6

SHA1
55419966cc45def14d04b5d990c98687c0db19d0

SHA256
799e82abb5da2389c8d720d57f23b2988c9da01a01c7f61f3ce102a8b497ce2a

SHA512
10c99be66afbe8bb589d01215583e723d869fe5e4cfb9bccb148a54533371ad8cf3a6b5a974be1e01a02c7030fe675d2718b496500aaa28542a057b4eae11c1e

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\18549a9c-bedc-b855-f0e6-0787d8b3300d.xml.1b9799

Filesize
2KB

MD5
ce6fb51c871c17483adb3bf1ac7b32b3

SHA1
0b9db4ea6d124dc4f75ce158584b98cf11e0ca87

SHA256
e9ce0f48770101959983e959e9f544a3b3d936b82df7846c22b64021120cf321

SHA512
5e4e0dc441546df07fab4a9ea74e4df770806b6117b3adc67b38678af48ab3b5b059ed27003000c0e04f4cf744a99ab65b5f342cb11ecb73226287ab0394359c

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\1e225998-faa0-5fd4-4db7-5e7686ee3b47.xml.1b9799

Filesize
2KB

MD5
3a2be6726c07c08f3394ea90128cc7ca

SHA1
7452219d9c136f8c4d49ea67e8b05412b85f7418

SHA256
82099d95eda045dba909866a1652aaac23ffc2b3e82edb140d0029309c607871

SHA512
2a319acd8430b35c9490ea51ccec84afff4986d4a15e069d93a42048d79c4b223e1691728ae68489cfb7e763e3fdb22fb255500d4805afdac9cbfa08769fe1f1

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\1faf63f7-f387-4522-1175-68c9652d968a.xml.1b9799

Filesize
2KB

MD5
792c2f1612370f7c87133faa242e2e4f

SHA1
cf1676bb15dc518073de96e31cf99f8d31aeb92a

SHA256
fffec21b9e7b0c9f0960f57bda15eadcac1fc60796a14c70f00946964988a099

SHA512
70b43b61d320160b3b6e275819110a3b6a904661d8de082130920ca1ec40cec954fa861058fcfcd62b952c38ed863ddce15b579e53aff1597e0220774eddeb82

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\215f9712-9fca-a3f8-5b11-660eefc73b96.xml.1b9799

Filesize
3KB

MD5
621b83286e83c4bfcad8f3e6d04b5149

SHA1
59fedd11865c83c3749e782eb089ddd671aca327

SHA256
733c37414524897a6686a97699b6457545fd5ca7bcecafe7a98878b244651917

SHA512
1fd8a388ac88aa491db5c713b7e9aee6fbe37fb81f02582138008a9cd3c3bf916bab3dc75c1ff73107de6fe5d4dd4779972696ebf12bc354c36c6caea403f229

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2657f7c0-8294-58c3-f394-15fe18ba174a.xml.1b9799

Filesize
3KB

MD5
085a4ac8c4b9e695ae5d415d7c0fb788

SHA1
714489923cc74920016d09654c278a0e5dc7feb1

SHA256
3421250b47bd552390ee1404d67e2bd3f07037181e611ef81b2df1127546cde6

SHA512
aa1e5566b5ad0bf3137cf81dec86c80f860e728ca0377f39de975a634767a773dc06bcad67b51382906dd31105e3f2051881f83f5c719ba341da5862a1a7f587

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\28502d06-9d29-8514-1e5d-64447116d798.xml.1b9799

Filesize
2KB

MD5
31e125413171a5873cd3699c819d4e7c

SHA1
711e9c48d7187c830e945065544edaefe15ebc35

SHA256
566cc850bf0b721b163aaf6016ba7e9b1948c70802329b4d13a6bb875d0b11e9

SHA512
207595e449d6517fccbd35ddba7e0797f960a52b78165267f56be31775b0326a426cf219d84ac6d12ac463ba1c93c8a04ef16c4069bf9daf214d0cc5bfa4d53e

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\28748306-9f02-a5d7-6ded-4459fddadc31.xml.1b9799

Filesize
2KB

MD5
429100ec860f9f0659e5372c9778b28d

SHA1
f5f0a0c4ad2a7f628eabd63f3d0e237e636e9a4a

SHA256
18e951918ccdb4b6e6beec20136b29ab404e8422dd3cc62a2aef9b000af0845e

SHA512
2e71c4e557b6d16a81816dbb8982c48a679a804b425f9a92213b946fc3e09b5d248ad88cf9c92eb013f7d7564d1480616d51310b249efdd92024673cf9bda8c4

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\28d99d02-a6c1-1b29-22e9-dccf6711653d.xml.1b9799

Filesize
3KB

MD5
304ab2ee2fc190da190ad87e3ffbcfd8

SHA1
119514d23a327ec6cbaacf4c3d07456f029ab838

SHA256
6a982c357fcd3c59b2381f9062c7ea02da676e31a31c6ed9547a94e5029fea5b

SHA512
62ff7608cd426913e109a975285d896a9532fe7bacf0024fa43c96160420d9832a08240c861195ce849373d21d6431744a1487212d0872b01384a069195a5bc2

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2b5d0f60-d93b-1629-f3e5-4167231c7ee6.xml.1b9799

Filesize
2KB

MD5
779c153735483e683cd5d06c43b85c93

SHA1
c1154814ccf8cf6d49da863b5398b9cfd4663435

SHA256
a8d835b59e3c02574eb0acd5041f3d14eedbadd3f3a4686f104f27bc475c977a

SHA512
d44a4222584d3be072fbed1252ab517e4589d67e627131a9f7ed99151c0d96843c3dd76987c15921e252f8c2d03811bd0ea9d643b4643b1ea4d66e7c1ca8893c

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2c47903d-15ab-20db-6020-db5206c59481.xml.1b9799

Filesize
3KB

MD5
a874ab4123154a5316f5cf3bfb59a7b5

SHA1
f29cecfb4beb66eb169f449c9ea63223db2de318

SHA256
324f47ac3dca4dfa527828123ac70d1050e373801a19634270dd82e25bbf42f5

SHA512
20f644ec19fb1811f432e9300ede430d0e29037c076ff6d3256c827bb9d94809bf5244876b440fc3544381a8be2530201e6b28696595aaf57e75ee0c39a9d64f

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2c6fb1ca-7f49-06d3-3080-e7811bdac4b5.xml.1b9799

Filesize
3KB

MD5
776dc811624370e82e2bd0a70e26c2a0

SHA1
9b664e936bd61404ec485cb02c048b642c96cc7d

SHA256
b5a9f41819234a5db4b43366744dfba6ec26a2698fb293d154af9c428b41e601

SHA512
321b1cd5b3f9bda7ade6c7dcc5c04087fe6746fb6888d50daa2465c4bb5f7eed190f3717baef7b2230b76a0c6c9b348cf6130226e13c3892df076b0c966f8828

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2e267d1c-9ef4-8ee3-57be-e11f61eb9d03.xml.1b9799

Filesize
3KB

MD5
18c1233bb2bb5efa5a21ce4c596c7a6e

SHA1
378baf21454482a9ea81cadaa199ffbc3acc8767

SHA256
7b909378360e6040e87e7d94309c1f4cbc4bec79d44117012e06809e8186406b

SHA512
29f5e5843fc53173f4e0c7d1c31281e7a2b396f34e1ebb2c3a84c410abf7e8d58345356e751582ea74621bc33859a0858339efb6a72640e40e8edff92b9a45e3

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\306e67c8-9a1d-38de-8654-054bd8a6e6d6.xml.1b9799

Filesize
3KB

MD5
0c195dd9ec19ea8d6c6a5e72639241e8

SHA1
d40e4cb6a2d44ee8b066272f17bfb51d33fe5d56

SHA256
8c145e4f7fb4743e45c22bdb4964d9435c9ffac99afa9db2d446c27c533b7072

SHA512
130321759d24ae33b8162be395f483e25269f2e68194faedba1d986d996df48f1bb0cb6304602cebcba58984aa67139e1f24d0df81fde4e9c477ae64e7f81aa7

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3110b8d7-d60c-6adc-c3ce-bd22f748af91.xml.1b9799

Filesize
3KB

MD5
45ff14493957b54bae12f2aeaa298499

SHA1
a545b1355198cc5d67cc0beb3363f68ce0679e79

SHA256
f858ec8d51dfd07677e3b5e0e0b4e57850d645681c2a5157d6d13da10593bf68

SHA512
36485203291444030378eda0e0ebf69c68a43728646ee76a68856cd6569ae609de16d87f179b87dcdaac2523c4b88a0478ab5d24a810852c25235cb9c74ce97b

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml.1b9799

Filesize
3KB

MD5
8c55d585aca19eee92f70f1fd6d8eb4b

SHA1
94d530a13f85c65bdad759fd195950bc7e12feb9

SHA256
f71391e24fa3afcc05b552cc55cda5cda303750291c1c37fcd9ddbdd4874af94

SHA512
61fae3e83c6868169a1fe4dce70e46758d90a57218294caac9da12cc2834be81f267a83789764b2667101c30afe6da6eab507f5c2aa0d12328ad8c0a58e25017

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml.1b9799

Filesize
3KB

MD5
816fcef721a478605bfc6267380db2e4

SHA1
62d63cf3e0297f19bbfebb7a6c71f6a5ec672fd7

SHA256
35d91fa0ca5c5f21d4759b088d1c2cbfc04a6e89711f0bab3469318fa2ab47ae

SHA512
3e9cffadb51c838d7c84ec4f84e04375c58e2b689747f3fba8e35ab5edc44ffa041d739dc0d47c5d8151379511d1523ddccc38828ee2283fe0480086750cf328

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3f586f55-284b-e455-06b2-84c84e8d0d2d.xml.1b9799

Filesize
3KB

MD5
ba8a1fdd1fcc23bd7e7a95de3961789c

SHA1
d0e7f92f0a2d17324a74f3e00c5e7f64dd13568e

SHA256
e5a83793d5145aa1ebe4476c60a5ea67786c3a72b4cd017978f45477f1401304

SHA512
6551b2f7c739b8cdcdb1195df571366de013b5239a97f644e9c71774595b9e085a9842d36a6bdde0fb9a24bc6df5b4caf2805c22b9ea5214d593ad5c3a6a7bf1

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\458cc994-beff-c5bd-7b1a-e69e8e798976.xml.1b9799

Filesize
3KB

MD5
c0db7b039a2e9669a24be7f3109d0e81

SHA1
e5a1d21d6e97d1600883be740254082bd703b0da

SHA256
7146d80153729b5ae905870cba9ec8900ae590772c1a1caf9aa3712d9291edfb

SHA512
9c5f1286a4bfac6b7402f7b729ad524fc4b2e3a76d20dab1794f0cc5ffb9d9d5ff002fef8da26068e54738e676afb7ba4a0467f54bf0900ffa4c0cebe7829263

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\4c4ecbc0-0ec0-3929-aebb-a931a339fb23.xml.1b9799

Filesize
3KB

MD5
6070fbc0914e5334418bd5cab99f59e4

SHA1
e85200c964e7430b032602e480175db478c56404

SHA256
151062a6985181c87afe1e395c82f5bf09cac65ad44ed36475a2d9db5b8b3051

SHA512
340ddbc3831f82da837df03dd95da45558bdb446f87989c2999c5c31a9f44f343183fc8d73ca5b1890c7457f775b1d8e2f1ba65b4d51ccc462b2de4f707c8e78

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\517cfcaf-138b-1796-2cea-62892204250a.xml.1b9799

Filesize
2KB

MD5
0ea28f9d370e183a4b42b4c96a842537

SHA1
9975aa9debc56104166d94b035595c2d969464a9

SHA256
504b28a18deb4abb63de450a35c07e403baed2cc251baee16181993ea64de0de

SHA512
367d526a1dc6daf600ef45eb2aa845af211d34b8588ec4a30688474b68c7dc2d1b679074ad60ac5661effbe6d85b50dc36280bcb4749788d759fb36463087d2c

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\56780d7d-d4dc-b9a9-c121-bdd323bdc3b5.xml.1b9799

Filesize
3KB

MD5
2f63a820c8b80f3c643181356aa7e0be

SHA1
6aa39e0551eb291bb12ff5524da2554a5fe06fe2

SHA256
9cc61fbf57e22075b03b4487faa16f59b50608f3f288089a78f3e5fbc85363cd

SHA512
541a38303f0611481f538a782b5f7c605fd76e7f80e1b8b78c29180bb60af9831a49085a5452608b64443746f6f59c14c6560da46987c748e934cf46ece3e506

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\5c834b0b-64f8-6383-854a-915ac7ddab77.xml.1b9799

Filesize
2KB

MD5
e43fc8f1ab73f23b05992799372730a2

SHA1
98d5291598d40b56e6b0e1f9df323c5229e4942d

SHA256
eaf7d710d6baa4fe280b54a5f041d1822070298c8f9ac356b036fc132e40de18

SHA512
5ee7ebfaa5f0aefe50e6ebc65ae592f6c717b42a25c29756350eb58669bc654aae7ac839625dacf31d3c0ec268767cb0caef0cd6c8fbaac2d748d30271920c6a

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\61b5bd89-4cb0-db77-6622-cb63b5a58080.xml.1b9799

Filesize
3KB

MD5
bea608755ae89e127f172a056051f8c1

SHA1
2a6ee10a0fed8f6b833e588e81d2a8c9113114be

SHA256
982d93e0585d8ddebdd48d03718939717e654db1c51ee38d4f9852a342eaf627

SHA512
5cc7548c322bcf3f69404d966c60f4bf869b4671ff606d1c9f9de211a8c504a932c2d8c8805a80218002fe8bf510360086c1cf142524cb537442604da917d226

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\e6409841-5fa2-7a86-54fc-a0a0e41c74fc.xml.1b9799

Filesize
3KB

MD5
e5ecc0faaa710be9392782e172a5b45d

SHA1
45333fae22518ed1ee3210433ecb0f3a7581573b

SHA256
a4834e258fa3893c20d3b5ae50566c7d3345e11029b610b0356164302a400e5e

SHA512
bf2ece82135f4a0412227bf4127cdcb806606f12c7fad8f995334d05d32e49f026db09ba451867253d490dbe3b4b90e195252d012603ed76b0342701f12686da

Download Submit
C:\Users\Admin\AppData\Local\Temp\39E7.tmp.bat

Filesize
122B

MD5
9d4695e465ff6128a93c5769c2f1c2bf

SHA1
fa961bf40e98b2b8c6b3aca2d2ff4d04cdfcd0f3

SHA256
6b34f523f6ca4c65e951a04e6c64a17b46aa1b5fbc9319e8c4f4ed4afa79d49c

SHA512
d55c9b9128bbab843181e82f27149410ab789633bbebffd128371265535026f6cee4612ac20bf631f71139535953079898b0f53f1ac515f29e81a0d1773f76df

Download Submit