Analysis Overview
SHA256
4f7bdda79e389d6660fca8e2a90a175307a7f615fa7673b10ee820d9300b5c60
Threat Level: Known bad
The file eaef25ab1f59492ffc735a386294b69f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Netwalker Ransomware
Renames multiple (7408) files with added filename extension
Renames multiple (6810) files with added filename extension
Deletes itself
Reads user/profile data of web browsers
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 08:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 08:22
Reported
2024-09-19 08:24
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Netwalker Ransomware
Renames multiple (7408) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE11.POC | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02268_.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\WARN.WAV | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOVEL.WAV | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\weblink.api | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\EB5DDA-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00195_.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0098497.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\OMSINTL.DLL.IDX_DLL | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143749.GIF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianResume.Dotx | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN001.XML | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\af.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8F.GIF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\VOLTAGE.WAV | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWSHM.POC | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Rainy_River | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Moscow | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMES.CFG | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185834.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18256_.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00918_.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292286.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCD98SP.POC | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.DPV | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Australia\Darwin | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285796.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\Management.cer | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME41.CSS | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299171.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02141_.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OCEAN_01.MID | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00223_.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301044.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\RegisterExit.mpg | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01636_.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\EB5DDA-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\release | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV.HXS | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152560.WMF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\EB5DDA-Readme.txt"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\F1AF.tmp.bat"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1620
Network
Files
C:\Program Files (x86)\Common Files\Adobe\Updater6\EB5DDA-Readme.txt
| MD5 | 0b496c1aff32a5ad4f45173c03b145a8 |
| SHA1 | 2a7c12b98e9faee4d9aae9d2071c41465e9b4b6d |
| SHA256 | a60479f068b02bcc78bf43dba4cac97e4d76a60e2c0ee6b3feed2bc3631ba1dc |
| SHA512 | 45f424f53970ae834a8cff057a5fce0fe34dc31c3dae426c9c5f19bbf79868ebb8c03f6d1d8d1523d77482b8604034a4523f919310579a96237d9f8f26379f2d |
C:\Users\Admin\AppData\Local\Temp\F1AF.tmp.bat
| MD5 | 5c4b85c2d7d3f954fcff6ef198b554a1 |
| SHA1 | ccfb49734acb01e7056879d372c40ecec127ee81 |
| SHA256 | 9c31dffec252410f8b4e8f049eb19a25a3bc8ea0a7feb5a8b1aa46cd8346e1df |
| SHA512 | f13b493317096af0b952fb50a888fea03ace25dfd01de92f15c0ecf0f955a2e773ead7d72f857c285b837731fe531ca78cb44fb917e5edc79d9ddba228049a8f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 08:22
Reported
2024-09-19 08:24
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
97s
Command Line
Signatures
Netwalker Ransomware
Renames multiple (6810) files with added filename extension
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\TinyTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedStoreLogo.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\legal\javafx\1B9799-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-48_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-2x.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-80.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\LICENSE | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-20.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_backarrow_default.svg | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white_devicefamily-colorfulunplated.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-125.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-high.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\images\cursors\1B9799-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-60_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\1B9799-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.ELM | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-100.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\1B9799-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-150.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\1B9799-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlOuterCircleHover.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\1B9799-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\nb.pak.DATA | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\1.jpg | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\SourceAppService.winmd | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Toolkit.Uwp.Notifications.winmd | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.QueryClient.winmd | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\1B9799-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Crashpad\settings.dat | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\1B9799-Readme.txt | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaef25ab1f59492ffc735a386294b69f_JaffaCakes118.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\1B9799-Readme.txt"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\39E7.tmp.bat"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\Microsoft\User Account Pictures\1B9799-Readme.txt
| MD5 | 5a586ce39a61ed68c0cb989cf1df710a |
| SHA1 | f028b89077860542a94c51205f8283773e258b8f |
| SHA256 | 823b62062c12c2a86122c8341fc3a34d680075614772e194216efab325341557 |
| SHA512 | 6cc38bc5d8585a8a76bca7545b48acdc80ba1278849586f66c4ba6c23351748e78d03b3829c6618094989093a039af783e889bf672cea214fac8591772a2887f |
C:\Program Files\Microsoft Office\AppXManifest.xml.1b9799
| MD5 | 47f88b9f92f9deaf1ad0d0b451fcf6d9 |
| SHA1 | 02b2f78da42d272f8649641030f896040f14df3d |
| SHA256 | 0a8860c16cb77076902c628b518544e3ce4e999a745069c8f7f4c04baa826a8b |
| SHA512 | 9cfc0cd6468405f1105afc9c097411c9d405dbce28f8c545058a2652a01a8357a1a5b5d70ccf50d300536802b2be96ec366f53b885bcb66b6bc1533200561f94 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\28748306-9f02-a5d7-6ded-4459fddadc31.xml.1b9799
| MD5 | 429100ec860f9f0659e5372c9778b28d |
| SHA1 | f5f0a0c4ad2a7f628eabd63f3d0e237e636e9a4a |
| SHA256 | 18e951918ccdb4b6e6beec20136b29ab404e8422dd3cc62a2aef9b000af0845e |
| SHA512 | 2e71c4e557b6d16a81816dbb8982c48a679a804b425f9a92213b946fc3e09b5d248ad88cf9c92eb013f7d7564d1480616d51310b249efdd92024673cf9bda8c4 |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml.1b9799
| MD5 | 80f5d76c538061186161d99c59792d1b |
| SHA1 | f30bf1ddfc3f326e634b6dfd5fc633302eeb28ea |
| SHA256 | db7da76a3754582ae709bec847d36ca5a585e52db29604f1f80246fba84ee69b |
| SHA512 | 549479dee418581329754918768924b7f99a07ad687cdcaaa2af0d920cba402a8e156a309081b26639f25c3208d2b526294b36f8195da6fda5949ea9dbfe615d |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\e6409841-5fa2-7a86-54fc-a0a0e41c74fc.xml.1b9799
| MD5 | e5ecc0faaa710be9392782e172a5b45d |
| SHA1 | 45333fae22518ed1ee3210433ecb0f3a7581573b |
| SHA256 | a4834e258fa3893c20d3b5ae50566c7d3345e11029b610b0356164302a400e5e |
| SHA512 | bf2ece82135f4a0412227bf4127cdcb806606f12c7fad8f995334d05d32e49f026db09ba451867253d490dbe3b4b90e195252d012603ed76b0342701f12686da |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\03f8974b-362e-33e3-2e0b-c7bc2ea01c63.xml.1b9799
| MD5 | 72103b02285d171fcf8c8dfaf965bf3d |
| SHA1 | 200e84e9aae67d07044a180c64c13f70105418f3 |
| SHA256 | f5236101bcb0a21ca435f5af9ee44de213da2b47294ef72570f502663207d754 |
| SHA512 | a5947e313787b0d89a59b33b2c8a367acb54a77008575b1305d895d4557694a292db772ab34fcc97e9cd9ebcbc9c2dc3c48bbd2ef12bcee4f4f4ab7bc3a4d214 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2b5d0f60-d93b-1629-f3e5-4167231c7ee6.xml.1b9799
| MD5 | 779c153735483e683cd5d06c43b85c93 |
| SHA1 | c1154814ccf8cf6d49da863b5398b9cfd4663435 |
| SHA256 | a8d835b59e3c02574eb0acd5041f3d14eedbadd3f3a4686f104f27bc475c977a |
| SHA512 | d44a4222584d3be072fbed1252ab517e4589d67e627131a9f7ed99151c0d96843c3dd76987c15921e252f8c2d03811bd0ea9d643b4643b1ea4d66e7c1ca8893c |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\09ec127d-8158-a906-c12f-44a86e3e994f.xml.1b9799
| MD5 | 729fffdeb7be23c70508e8a2afdb21fc |
| SHA1 | 848cd456e2c1c61e689e40784ef39031212eef0d |
| SHA256 | 42b153d2c3f5704fd39063901914da24240fe9f516c82057a65fddb6f802806f |
| SHA512 | a0451a23d09711601b6ee3b43b28c2e7205dfb71af30e635d24811fb81f0ce712da83849354623a259cbb2f16b3620da123e82b869a61f10b360c0dec080b74c |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2657f7c0-8294-58c3-f394-15fe18ba174a.xml.1b9799
| MD5 | 085a4ac8c4b9e695ae5d415d7c0fb788 |
| SHA1 | 714489923cc74920016d09654c278a0e5dc7feb1 |
| SHA256 | 3421250b47bd552390ee1404d67e2bd3f07037181e611ef81b2df1127546cde6 |
| SHA512 | aa1e5566b5ad0bf3137cf81dec86c80f860e728ca0377f39de975a634767a773dc06bcad67b51382906dd31105e3f2051881f83f5c719ba341da5862a1a7f587 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\28502d06-9d29-8514-1e5d-64447116d798.xml.1b9799
| MD5 | 31e125413171a5873cd3699c819d4e7c |
| SHA1 | 711e9c48d7187c830e945065544edaefe15ebc35 |
| SHA256 | 566cc850bf0b721b163aaf6016ba7e9b1948c70802329b4d13a6bb875d0b11e9 |
| SHA512 | 207595e449d6517fccbd35ddba7e0797f960a52b78165267f56be31775b0326a426cf219d84ac6d12ac463ba1c93c8a04ef16c4069bf9daf214d0cc5bfa4d53e |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\28d99d02-a6c1-1b29-22e9-dccf6711653d.xml.1b9799
| MD5 | 304ab2ee2fc190da190ad87e3ffbcfd8 |
| SHA1 | 119514d23a327ec6cbaacf4c3d07456f029ab838 |
| SHA256 | 6a982c357fcd3c59b2381f9062c7ea02da676e31a31c6ed9547a94e5029fea5b |
| SHA512 | 62ff7608cd426913e109a975285d896a9532fe7bacf0024fa43c96160420d9832a08240c861195ce849373d21d6431744a1487212d0872b01384a069195a5bc2 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.1b9799
| MD5 | 57125b2ae333c25d254266bf26c01e72 |
| SHA1 | 1f75adb4ec575d3d700780fb85119c419a1c5405 |
| SHA256 | 20686b471d517f2beb166444af97ff89e4e1468382ff2f3be8a7183db8f01691 |
| SHA512 | 510ca6eaba001e3f5abaae85a7848ad84c4cd2c620733c186a4362f9188cdac7d6b711a878f435163cd2f160d670b418b6df27ed8bad53ba4dcb7a959667fb38 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml.1b9799
| MD5 | 0e5d09b50911590e37956791b5c5c26b |
| SHA1 | d70424f6a454eec23d8b9c0412bc7e909cb6ee44 |
| SHA256 | 89f31e86cf5926bb3472202db862310637bee24f046973938e67e3d21cbccdeb |
| SHA512 | 2a685798d192ba5141d339bc135ea82a771ab1ef00ef4cc1e3b5843b701bbd96ae5f907d757129deffc186dd93813e65fc8c2eb17256c9f2086a9e60001f2b22 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0a8c1492-65ca-6a01-de25-0e183559d10d.xml.1b9799
| MD5 | eef85493df677557dccee9430a6ecefb |
| SHA1 | d7d63cab6a3f660427ac5c7b04bf308bd63b077e |
| SHA256 | 8fdba052a9a9eee85a92407bd9d09f320670a443701e2230cf05b38e9511a44d |
| SHA512 | 60a7ef16ebc15365dc883e71bd62eeaf79d5c22f49c4350224542a10a14e507f0874da0671323c0fbf5f3566769380df7c9f1d65e99fbf9561a1058588c81b69 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.1b9799
| MD5 | b5d2b945a86ff7258ec89be4ce35ddd1 |
| SHA1 | 813114f463f495786196608ac372f4bbd3c76abc |
| SHA256 | 31ed6c59478591590053088c511eda4a6075366b89d495d1bc24e4f1556f6b5a |
| SHA512 | 440ec0089f8b3b946087ebf98429b4226947a0afb6d323c3bb72f2bd0a66c57bf2a6a42ec805498fd3a24605877d11130778e7cffef5dff914e2ef6aaf98240c |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml.1b9799
| MD5 | 4889ce0cc0a34aa145ceb6be924ec5e4 |
| SHA1 | 001d67c358ba3086515a681aba56491ade8cd2e9 |
| SHA256 | dc3de833b1ef993aa3f552263c85548f7e6b1549b263e436d94197db2b080a99 |
| SHA512 | 8750de0d740253e0f82d63d04c17e6e8f512071197de865ae50faf7d477bfab2e10d8db68eb1ccbb35df9fcab9237b206fb996c668e1857a1922abac8b5c6412 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.1b9799
| MD5 | 2442c27b4e615468e7f6b5db54750701 |
| SHA1 | c2a8aee2eb195dc970e076f05acd36065bb9f510 |
| SHA256 | 89bbf0ca3d43cac54cb88a537af0a7a916d19d3e59750e80f74411da543d5631 |
| SHA512 | 61e83879142b345ddd9e1018f2f3bcae0b2cc1aed7734838bd90cb82a1d24fe2e168e6a9311599ed627b71e3110c0db158e525f4b45e39f736dd5423229ab0e5 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml.1b9799
| MD5 | ec780fdb211deb2592c37fb8f45e1f2b |
| SHA1 | d0b693f6ee4429c1ee664402c4d4d8215ce73f88 |
| SHA256 | 0c11319cb0d96ed4d8d2ffe268bf546d04f1fc1649e7fc7cfdac7eff9f809932 |
| SHA512 | b30da0e70faa76ee7449b6d0db91b4b0e52c8c53777ccde5700528dbc3e14320f1d539c1cb049ae68d7f5b5efabcb9e771a8b67019a36399a75e1714c01b875f |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.1b9799
| MD5 | 994c17caf0ba0b77123304e48f8036b0 |
| SHA1 | 8e51aed3b3e94a9c01587bc3d5dcae1ed4d7b605 |
| SHA256 | baed172ca2fe700dc2d5fbd974419d3031395dc24d7941da8de422cf93661982 |
| SHA512 | 397198858ca8536a2617b3779381e7ae89ebe7b054d54f581611badc44bf4b90235fdd25d7734bc7a8af1d00bd5431ca4a1142cc76f18277fdc4d5008d1ca042 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.1b9799
| MD5 | 9b488a5eecbbcf716c5d90c5224c2029 |
| SHA1 | 25a5e3218251c8b6201344e8ca8c9b20dd433171 |
| SHA256 | bdf839cd967dc05e1d383399562f11d7761ea8c2e88755d93ef0e30cbba4a0e1 |
| SHA512 | d49719dd55b6066876965c65404fda1e6c7f9adea1e3977b4022dabe469830635803be0816e5227ad79678d0f0b61ff3bc67e0da14abda1e0f0f78499ab4992c |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.1b9799
| MD5 | af1d0d1f4dbe5e548346d44ad9bde8fc |
| SHA1 | 495026240bbe26326d98563f703cd828ed005978 |
| SHA256 | a587e68161cd96d142b80fa67eab68b9a192a632978120d38b9414ae1a623ca6 |
| SHA512 | 955416c253cc68e27ec9440c129698281d31b2670008b896bd02b824454677a19d26fffdabff74073bc1dbce09e77d9da515a5a186a3a2d9c98763f707c3024a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.1b9799
| MD5 | f19d6df69767157c73da91cb5f14d011 |
| SHA1 | 7fd57c1039918ddf41ae67f108a5a3bf2104267d |
| SHA256 | 8fee59e00e20c7a24451586f8fb107551d22c8c4376393932ea836c39ba80df7 |
| SHA512 | 9ba4350a2281bf4706c74550e035d7d26cb8378eec76c90597d4fbe96ae58f98cdb562d9cefcea9e6eb75700042c2822252a9081312d505fb63413e0ee71f319 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.1b9799
| MD5 | 9e258f7f4c0f84ad72bf2a0f897dd4f4 |
| SHA1 | a120698452dd068b10722825262760c4ddc9279f |
| SHA256 | c3a50640f810cb10645fcc64d0f75e618ed7e0a85a081cf4ac7c3d671cb161d5 |
| SHA512 | 42afcb0820a989bf586a22c1e53cb57f6224b7a020860c5238706d08ca8af5c3a978d0843788c7580d87fbed38dd9cd28cacb05ba499487c32364c9c76faa155 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml.1b9799
| MD5 | 4e4a1e146db1ecf3056b793af89d8c85 |
| SHA1 | e1b047d249214d4b03657b7bc40f1c728bd9340c |
| SHA256 | 8f8662633bbe7b46e789c2b2c9c7a1fdbdc12f9470992f12fb1a4dc2f2de756e |
| SHA512 | d6bf50b8f24c586258d5e309d9324f64e613827e1356e2747c7ae3f894a2270eded12485dba7b1a9a0e965a61133d8e9c15ae1bebf4ba0fd9d696b5d9b073c1a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmmui.msi.16.en-us.xml.1b9799
| MD5 | 0b7db2d31a3b5e7d3c5bdfc35f66c115 |
| SHA1 | 1ef2993788ce01dab7035112dd1f83d0e35e6342 |
| SHA256 | 1caa3ab897f343f05608972084fd3e574d49abbb2c45f010eb7bfb60e723c295 |
| SHA512 | cff7664b95b18862597f56d03fdd176d253d44e33001fc9416fba089ed95c5d27a52ebc1b97eaaf4baf01b4ba6a919272c6510bd0a57dfc3f9f1256ce2fe49f3 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.1b9799
| MD5 | 7bab3c7998741906e1d8eed85a526576 |
| SHA1 | 29d746c299829e1d9d612d411e2eb082ed238618 |
| SHA256 | 1c9d62c9f667f9527017db3c5250464bbbd95b75b3b7d3fe6a8c517e26a3a37e |
| SHA512 | a2bfd660b14bcb623f4c3b935278c5ed90057833b55f0a76f5004236b0be00417d7debd77da527fd8d8db4bc00d5dbfd744581eb52251a019dbc71d819178178 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.1b9799
| MD5 | d9fbcd00bf1eb417dd836afdfcece6b3 |
| SHA1 | 66e64f0e2564f9b7c4d235e81dcea788bbb8a8e4 |
| SHA256 | 88d78aa6a26920b75496f30f776590c9db2dced4c0c5dc8b1216eb52e4ab2007 |
| SHA512 | eceb8225c1490c64decde5990136b0bbd4e2d847427ffb0dd7885f8fa7e97c00192819dbd6ab44d5b34beea2082dd43069f4c0f66d885affd08a3a98d6576d9a |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml.1b9799
| MD5 | bf9a03a8ba48c5e90c19a678c3f9fef1 |
| SHA1 | 16a653708befab40e825f293570b21696bf1447e |
| SHA256 | 0c7bb2aac5babda9a2e5d401fac0d313a31315d699eee908dca68ae04694a2d3 |
| SHA512 | 5deeff6e27692073df22c7f52bf78a3a78566f871aca2e624f8528ed2621df27afaf8d2d53d1abb517b851a4ba407d26459cbe3791ef7bf5c31cae7abeb8500d |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.1b9799
| MD5 | 7a5aa651d5c1f7f043f4b3633aec996d |
| SHA1 | b1107a10279157f2674581f3936a3f04f0382431 |
| SHA256 | 391d7ae024caa0f036c404f53f45fbf25a293ec9d6740b1d08d33c0c95c23007 |
| SHA512 | 9f3f6e0dbf96826845a4675ae61b743d86f27ae47c47a516fbd2fbd90ec09c2613226f334057369601b4006066bfa6b7a11d25d5c29a5a5b4018d4f7e82f224b |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.1b9799
| MD5 | 4862d525f97904a6270bafe03a2efe69 |
| SHA1 | 089e7c0bea3608e6997b5af097b898b5c731f8e7 |
| SHA256 | 739c183075cd1ccad6e2320f262b1992afb67b35dee36be467c702bc6d4ebcde |
| SHA512 | 4b33245567de9b55cd4db18150e1230819b18461c074417b926747c9eb7041fdc1eeef20e7fa34dc3f01674218779c5606117bea76ed76d7d29b437357922543 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml.1b9799
| MD5 | 1215ee19308f028d94bd5b6a35616454 |
| SHA1 | eee34b74fac64d8d8f76bb4cf91d74bdb0f8fbe8 |
| SHA256 | ef6dd90cd21fc8d98a5450a6e0600e8e93458123b229f2c9920617731e021fe8 |
| SHA512 | 477e4dd75f84cd7026bcd684c17215401ee8c695c1cecec13c4d826314c6d67ab188861b63a8c89b4a1a483b2a2237fa700e7c1ff2e76b3e2409ae2552ad0c43 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.1b9799
| MD5 | 0f3a081d1e81bbbb9b680c3c3ad58585 |
| SHA1 | 4473b367f3fb7101b0b991bdcdc30bf5f985163a |
| SHA256 | dfa4ca4ec2a466dcd39a71192ea0dcfe32f28230c9be35e060c0419fe6be5375 |
| SHA512 | 55006a466463672bffde48ef1673169890ade18612fc8eb8bb6a33262313073f6d3eb427d1d000cc5b06c0186c905e41266211ef8e0dc4e2f4b90b603480d196 |
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.1b9799
| MD5 | d74f14999d5fa89b126697280921e0ef |
| SHA1 | 3ce83860f108f77131ee06cd322c170f79965b62 |
| SHA256 | 06c91d3b52ab0a8470d8a7b84a2866eccae3a21122b4ae7a70f81b94a29b8181 |
| SHA512 | ef5ba1164e3c9c3e8cd4b42ff90df5c4221a3a696bc928cb7296fd26e0c02cabd805fde6b62ae6ed459ba41d2426dd619f0836328e32daa259912c972cd8695f |
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\909C8E3D-5402-4F5E-93CA-22D9A8F57EBC\en-us.16\MasterDescriptor.en-us.xml.1b9799
| MD5 | 7c20ea094bfdd989261c64447da189a8 |
| SHA1 | 20fa29c0c6072e7b1656c133ff6449c5e89d04bf |
| SHA256 | 6a29201888267ab7d9110449efa40f6ced53fbd83bcf6edf9efd21042a317049 |
| SHA512 | 1ccb52261ad4bbce32751735917de6d25072965692f5c4305a3b579fcf0d186f019fe8acaf86e555f2f2a01c86bdaf7413129002c9903def61aa2cc443c6420b |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.1b9799
| MD5 | 8978f4d1ceabbd47819fa9fe0c7cee09 |
| SHA1 | ea6e1808cd884fab7ef569c5e40d1592117e5131 |
| SHA256 | 669448836aeb20f73e61f1c7f4bf2bf33f358ccb6f1c05de3b87d74d534cd34e |
| SHA512 | 1fb7e8f4f11d7d4d9d1d553f580bc5336f91a3a0114dfcc4421fded17a1e473fdc2c2d9a2d9f9ad4a7ff052c109dd529be2019d0f1f8d11ebfc22c948ca18995 |
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml.1b9799
| MD5 | 742a3f5bf60f874f421bac6743564682 |
| SHA1 | cecd259352291ca33d49a02457203644967969a7 |
| SHA256 | ca254ce7255b2b8e7cbaf78c877b8f404fa68e00f180ceb55130b001855bf32e |
| SHA512 | a4d9bf5315e318c8caa18e4c572e1e9aee5819f68f6c93f3e312c76ee7adc882b61d189c4078209f79314961e34d796552538eda6a2b6420410d7f39d9bfce08 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3110b8d7-d60c-6adc-c3ce-bd22f748af91.xml.1b9799
| MD5 | 45ff14493957b54bae12f2aeaa298499 |
| SHA1 | a545b1355198cc5d67cc0beb3363f68ce0679e79 |
| SHA256 | f858ec8d51dfd07677e3b5e0e0b4e57850d645681c2a5157d6d13da10593bf68 |
| SHA512 | 36485203291444030378eda0e0ebf69c68a43728646ee76a68856cd6569ae609de16d87f179b87dcdaac2523c4b88a0478ab5d24a810852c25235cb9c74ce97b |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\517cfcaf-138b-1796-2cea-62892204250a.xml.1b9799
| MD5 | 0ea28f9d370e183a4b42b4c96a842537 |
| SHA1 | 9975aa9debc56104166d94b035595c2d969464a9 |
| SHA256 | 504b28a18deb4abb63de450a35c07e403baed2cc251baee16181993ea64de0de |
| SHA512 | 367d526a1dc6daf600ef45eb2aa845af211d34b8588ec4a30688474b68c7dc2d1b679074ad60ac5661effbe6d85b50dc36280bcb4749788d759fb36463087d2c |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\61b5bd89-4cb0-db77-6622-cb63b5a58080.xml.1b9799
| MD5 | bea608755ae89e127f172a056051f8c1 |
| SHA1 | 2a6ee10a0fed8f6b833e588e81d2a8c9113114be |
| SHA256 | 982d93e0585d8ddebdd48d03718939717e654db1c51ee38d4f9852a342eaf627 |
| SHA512 | 5cc7548c322bcf3f69404d966c60f4bf869b4671ff606d1c9f9de211a8c504a932c2d8c8805a80218002fe8bf510360086c1cf142524cb537442604da917d226 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\5c834b0b-64f8-6383-854a-915ac7ddab77.xml.1b9799
| MD5 | e43fc8f1ab73f23b05992799372730a2 |
| SHA1 | 98d5291598d40b56e6b0e1f9df323c5229e4942d |
| SHA256 | eaf7d710d6baa4fe280b54a5f041d1822070298c8f9ac356b036fc132e40de18 |
| SHA512 | 5ee7ebfaa5f0aefe50e6ebc65ae592f6c717b42a25c29756350eb58669bc654aae7ac839625dacf31d3c0ec268767cb0caef0cd6c8fbaac2d748d30271920c6a |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\56780d7d-d4dc-b9a9-c121-bdd323bdc3b5.xml.1b9799
| MD5 | 2f63a820c8b80f3c643181356aa7e0be |
| SHA1 | 6aa39e0551eb291bb12ff5524da2554a5fe06fe2 |
| SHA256 | 9cc61fbf57e22075b03b4487faa16f59b50608f3f288089a78f3e5fbc85363cd |
| SHA512 | 541a38303f0611481f538a782b5f7c605fd76e7f80e1b8b78c29180bb60af9831a49085a5452608b64443746f6f59c14c6560da46987c748e934cf46ece3e506 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\4c4ecbc0-0ec0-3929-aebb-a931a339fb23.xml.1b9799
| MD5 | 6070fbc0914e5334418bd5cab99f59e4 |
| SHA1 | e85200c964e7430b032602e480175db478c56404 |
| SHA256 | 151062a6985181c87afe1e395c82f5bf09cac65ad44ed36475a2d9db5b8b3051 |
| SHA512 | 340ddbc3831f82da837df03dd95da45558bdb446f87989c2999c5c31a9f44f343183fc8d73ca5b1890c7457f775b1d8e2f1ba65b4d51ccc462b2de4f707c8e78 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\458cc994-beff-c5bd-7b1a-e69e8e798976.xml.1b9799
| MD5 | c0db7b039a2e9669a24be7f3109d0e81 |
| SHA1 | e5a1d21d6e97d1600883be740254082bd703b0da |
| SHA256 | 7146d80153729b5ae905870cba9ec8900ae590772c1a1caf9aa3712d9291edfb |
| SHA512 | 9c5f1286a4bfac6b7402f7b729ad524fc4b2e3a76d20dab1794f0cc5ffb9d9d5ff002fef8da26068e54738e676afb7ba4a0467f54bf0900ffa4c0cebe7829263 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3f586f55-284b-e455-06b2-84c84e8d0d2d.xml.1b9799
| MD5 | ba8a1fdd1fcc23bd7e7a95de3961789c |
| SHA1 | d0e7f92f0a2d17324a74f3e00c5e7f64dd13568e |
| SHA256 | e5a83793d5145aa1ebe4476c60a5ea67786c3a72b4cd017978f45477f1401304 |
| SHA512 | 6551b2f7c739b8cdcdb1195df571366de013b5239a97f644e9c71774595b9e085a9842d36a6bdde0fb9a24bc6df5b4caf2805c22b9ea5214d593ad5c3a6a7bf1 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml.1b9799
| MD5 | 816fcef721a478605bfc6267380db2e4 |
| SHA1 | 62d63cf3e0297f19bbfebb7a6c71f6a5ec672fd7 |
| SHA256 | 35d91fa0ca5c5f21d4759b088d1c2cbfc04a6e89711f0bab3469318fa2ab47ae |
| SHA512 | 3e9cffadb51c838d7c84ec4f84e04375c58e2b689747f3fba8e35ab5edc44ffa041d739dc0d47c5d8151379511d1523ddccc38828ee2283fe0480086750cf328 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml.1b9799
| MD5 | 8c55d585aca19eee92f70f1fd6d8eb4b |
| SHA1 | 94d530a13f85c65bdad759fd195950bc7e12feb9 |
| SHA256 | f71391e24fa3afcc05b552cc55cda5cda303750291c1c37fcd9ddbdd4874af94 |
| SHA512 | 61fae3e83c6868169a1fe4dce70e46758d90a57218294caac9da12cc2834be81f267a83789764b2667101c30afe6da6eab507f5c2aa0d12328ad8c0a58e25017 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\306e67c8-9a1d-38de-8654-054bd8a6e6d6.xml.1b9799
| MD5 | 0c195dd9ec19ea8d6c6a5e72639241e8 |
| SHA1 | d40e4cb6a2d44ee8b066272f17bfb51d33fe5d56 |
| SHA256 | 8c145e4f7fb4743e45c22bdb4964d9435c9ffac99afa9db2d446c27c533b7072 |
| SHA512 | 130321759d24ae33b8162be395f483e25269f2e68194faedba1d986d996df48f1bb0cb6304602cebcba58984aa67139e1f24d0df81fde4e9c477ae64e7f81aa7 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2e267d1c-9ef4-8ee3-57be-e11f61eb9d03.xml.1b9799
| MD5 | 18c1233bb2bb5efa5a21ce4c596c7a6e |
| SHA1 | 378baf21454482a9ea81cadaa199ffbc3acc8767 |
| SHA256 | 7b909378360e6040e87e7d94309c1f4cbc4bec79d44117012e06809e8186406b |
| SHA512 | 29f5e5843fc53173f4e0c7d1c31281e7a2b396f34e1ebb2c3a84c410abf7e8d58345356e751582ea74621bc33859a0858339efb6a72640e40e8edff92b9a45e3 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0891dc5f-1cf8-f01e-4d1b-4aab98d2c016.xml.1b9799
| MD5 | 496aa05aa78cb37cd44f2406807daa66 |
| SHA1 | 01dc46c9344fecd343170131f68301571f34b7ab |
| SHA256 | d667942c47981adf821297a5b3a4c4157a6f52366eacc6e8e1fea097954c6555 |
| SHA512 | 9de4ba522430a59bac986cfbe4b57ef0b43c670886d385b60179c98151aa1cb7cdbc21d9ba6dde058dddb0ea3d1f5f251d3ea3d3a67475da52d3d1dbc316a880 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2c47903d-15ab-20db-6020-db5206c59481.xml.1b9799
| MD5 | a874ab4123154a5316f5cf3bfb59a7b5 |
| SHA1 | f29cecfb4beb66eb169f449c9ea63223db2de318 |
| SHA256 | 324f47ac3dca4dfa527828123ac70d1050e373801a19634270dd82e25bbf42f5 |
| SHA512 | 20f644ec19fb1811f432e9300ede430d0e29037c076ff6d3256c827bb9d94809bf5244876b440fc3544381a8be2530201e6b28696595aaf57e75ee0c39a9d64f |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\2c6fb1ca-7f49-06d3-3080-e7811bdac4b5.xml.1b9799
| MD5 | 776dc811624370e82e2bd0a70e26c2a0 |
| SHA1 | 9b664e936bd61404ec485cb02c048b642c96cc7d |
| SHA256 | b5a9f41819234a5db4b43366744dfba6ec26a2698fb293d154af9c428b41e601 |
| SHA512 | 321b1cd5b3f9bda7ade6c7dcc5c04087fe6746fb6888d50daa2465c4bb5f7eed190f3717baef7b2230b76a0c6c9b348cf6130226e13c3892df076b0c966f8828 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\1e225998-faa0-5fd4-4db7-5e7686ee3b47.xml.1b9799
| MD5 | 3a2be6726c07c08f3394ea90128cc7ca |
| SHA1 | 7452219d9c136f8c4d49ea67e8b05412b85f7418 |
| SHA256 | 82099d95eda045dba909866a1652aaac23ffc2b3e82edb140d0029309c607871 |
| SHA512 | 2a319acd8430b35c9490ea51ccec84afff4986d4a15e069d93a42048d79c4b223e1691728ae68489cfb7e763e3fdb22fb255500d4805afdac9cbfa08769fe1f1 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\18549a9c-bedc-b855-f0e6-0787d8b3300d.xml.1b9799
| MD5 | ce6fb51c871c17483adb3bf1ac7b32b3 |
| SHA1 | 0b9db4ea6d124dc4f75ce158584b98cf11e0ca87 |
| SHA256 | e9ce0f48770101959983e959e9f544a3b3d936b82df7846c22b64021120cf321 |
| SHA512 | 5e4e0dc441546df07fab4a9ea74e4df770806b6117b3adc67b38678af48ab3b5b059ed27003000c0e04f4cf744a99ab65b5f342cb11ecb73226287ab0394359c |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0f8e2cd5-b8eb-7a22-b9e9-9b1183fa0a84.xml.1b9799
| MD5 | 17a204f73dbf9609a84ef42b42b73c7e |
| SHA1 | 4c082e3a09ccc5fd755bf7af110c540671fcfa81 |
| SHA256 | 155eec4e4d2aad087d0a59d2116c0513e79e55e8edfb02805c236a9a995b54c5 |
| SHA512 | c89fe3817964a4a827f1df6c69be7a3bbe446050278c9a0937cbc8b5e62f0fb489f82e079f462f9f76cc472161db24a7cd9f75865903f3ece9bdfab38f245669 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml.1b9799
| MD5 | 154fc5d3a65bf4b83db5641b60a18a97 |
| SHA1 | 6d6b9fd8a12f1719d2e7a40735b994cba9019d4b |
| SHA256 | 4b238ff4280a8ef74a87ab6268535027e9d634a5018a091e069379e631f47938 |
| SHA512 | a5c49ee1c4ebc350bde407a853c3766c9c30a608437fc70fd69528d69dc363bc9de61db276ae037062defa1003734686bfadd8592c3ceac9d49ecaa4e7ebc38e |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\1faf63f7-f387-4522-1175-68c9652d968a.xml.1b9799
| MD5 | 792c2f1612370f7c87133faa242e2e4f |
| SHA1 | cf1676bb15dc518073de96e31cf99f8d31aeb92a |
| SHA256 | fffec21b9e7b0c9f0960f57bda15eadcac1fc60796a14c70f00946964988a099 |
| SHA512 | 70b43b61d320160b3b6e275819110a3b6a904661d8de082130920ca1ec40cec954fa861058fcfcd62b952c38ed863ddce15b579e53aff1597e0220774eddeb82 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\13ba8772-845b-29a1-ae9e-fb2793ccf4ea.xml.1b9799
| MD5 | adac38b57d9e0be067be533e8087dbe6 |
| SHA1 | 55419966cc45def14d04b5d990c98687c0db19d0 |
| SHA256 | 799e82abb5da2389c8d720d57f23b2988c9da01a01c7f61f3ce102a8b497ce2a |
| SHA512 | 10c99be66afbe8bb589d01215583e723d869fe5e4cfb9bccb148a54533371ad8cf3a6b5a974be1e01a02c7030fe675d2718b496500aaa28542a057b4eae11c1e |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\215f9712-9fca-a3f8-5b11-660eefc73b96.xml.1b9799
| MD5 | 621b83286e83c4bfcad8f3e6d04b5149 |
| SHA1 | 59fedd11865c83c3749e782eb089ddd671aca327 |
| SHA256 | 733c37414524897a6686a97699b6457545fd5ca7bcecafe7a98878b244651917 |
| SHA512 | 1fd8a388ac88aa491db5c713b7e9aee6fbe37fb81f02582138008a9cd3c3bf916bab3dc75c1ff73107de6fe5d4dd4779972696ebf12bc354c36c6caea403f229 |
C:\Users\Admin\AppData\Local\Temp\39E7.tmp.bat
| MD5 | 9d4695e465ff6128a93c5769c2f1c2bf |
| SHA1 | fa961bf40e98b2b8c6b3aca2d2ff4d04cdfcd0f3 |
| SHA256 | 6b34f523f6ca4c65e951a04e6c64a17b46aa1b5fbc9319e8c4f4ed4afa79d49c |
| SHA512 | d55c9b9128bbab843181e82f27149410ab789633bbebffd128371265535026f6cee4612ac20bf631f71139535953079898b0f53f1ac515f29e81a0d1773f76df |