netwalker | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
1803s
max time network
1600s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Size

902KB
MD5

7770c598848339cf3562b7480856d584
SHA1

b3d39042aab832b7d2bed732c8b8e600a4cf5197
SHA256

ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304
SHA512

02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2
SSDEEP

6144:KxYcCQ2x63Ib0NQrqxpPbI1ZVedvUhwDNGjG+zBumDKemdglhykA:KCQ2x6TdvUqDUjG+zBumDKemdgy9

Score

10^/10

netwalker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\BE4FC4-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .be4fc4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_be4fc4: fxQouqNSKYy8q3a/7O2ZbUjOBTs7ufQlspjGyuwE3w4Rtbzm8d +mBYqUOMNX9y1K+SQCjDmrArNtmZQ/EZx6RacI6XB7UVQDkTQh 0hjET77DlzEd05L32aXJBaqUnVTBjnbSELZSoLOB2NR7XlTR1x DFULC75PYl4D5O72ArVjJo07rMzEc9ycD+n4rSC4Q8W3bYAwa+ eiPrV11152Yb40gLHjQ0zKU8S+mTXB7MH/7lN+8uGX2RsUQANP 30pJnNnRHjqKqqZz/gSZHTSjalVYiKVvuasKwEdQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Explorer.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\TraceUndo.tiff	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\NewStep.png => C:\Users\Admin\Pictures\NewStep.png.be4fc4	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\SkipUnblock.png => C:\Users\Admin\Pictures\SkipUnblock.png.be4fc4	Explorer.EXE
File opened for modification	C:\Users\Admin\Pictures\DenyUninstall.tiff	Explorer.EXE
File opened for modification	C:\Users\Admin\Pictures\ResizeOpen.tiff	Explorer.EXE
File opened for modification	C:\Users\Admin\Pictures\SyncCheckpoint.tiff	Explorer.EXE

Drops file in Program Files directory 64 IoCs

Processes:

Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_40x40x32.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\BE4FC4-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\el.pak.DATA	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-150.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-150_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected.m4a	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Stop.m4a	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\Microsoft.UI.Xaml.winmd	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\BE4FC4-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-hover_32.svg	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-150.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-black.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Campfire.png	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\javaws.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security	Explorer.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board_light.css	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40_altform-unplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Sticker.mp4	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\ui-strings.js	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_100x96.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\3DViewerProductDescription-universal.xml	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\BE4FC4-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-400.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-200.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png	Explorer.EXE
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\WideTile.scale-100.png	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml	Explorer.EXE
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\BE4FC4-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	Explorer.EXE

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 43 IoCs

Processes:

SearchApp.exeSearchApp.exeExplorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "926"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "926"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "926"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "893"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "926"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "893"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "893"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "893"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "893"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "926"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "893"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "926"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeExplorer.EXE

pid	process
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2492 Explorer.EXE

pid	process
2492	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

powershell.exeExplorer.EXEvssvc.exe

description	pid	process
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	2492	Explorer.EXE
Token: SeImpersonatePrivilege	2492	Explorer.EXE
Token: SeBackupPrivilege	1552	vssvc.exe
Token: SeRestorePrivilege	1552	vssvc.exe
Token: SeAuditPrivilege	1552	vssvc.exe
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

2492 Explorer.EXE
2492 Explorer.EXE
2492 Explorer.EXE
2492 Explorer.EXE
2492 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

2492 Explorer.EXE
2492 Explorer.EXE
2492 Explorer.EXE
2492 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SearchApp.exeSearchApp.exe

pid process

6540 SearchApp.exe
6816 SearchApp.exe

pid	process
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE

pid	process
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE
2492	Explorer.EXE

pid	process
6540	SearchApp.exe
6816	SearchApp.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

powershell.execsc.execsc.exeExplorer.EXE

description	pid	process	target process
PID 4132 wrote to memory of 2676	4132	powershell.exe	csc.exe
PID 4132 wrote to memory of 2676	4132	powershell.exe	csc.exe
PID 2676 wrote to memory of 728	2676	csc.exe	cvtres.exe
PID 2676 wrote to memory of 728	2676	csc.exe	cvtres.exe
PID 4132 wrote to memory of 4836	4132	powershell.exe	csc.exe
PID 4132 wrote to memory of 4836	4132	powershell.exe	csc.exe
PID 4836 wrote to memory of 4908	4836	csc.exe	cvtres.exe
PID 4836 wrote to memory of 4908	4836	csc.exe	cvtres.exe
PID 4132 wrote to memory of 2492	4132	powershell.exe	Explorer.EXE
PID 2492 wrote to memory of 6184	2492	Explorer.EXE	notepad.exe
PID 2492 wrote to memory of 6184	2492	Explorer.EXE	notepad.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\NetWalker_19_10_2020_903KB.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8561.tmp" "c:\Users\Admin\AppData\Local\Temp\yfocfwtd\CSC9810FA4E5840405B8374A352AEA734CB.TMP"
      4⤵
      PID:728
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B0E.tmp" "c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\CSC260CA674ADD146B69231B4916DD38EC1.TMP"
      4⤵
      PID:4908
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\BE4FC4-Readme.txt"
  2⤵
  PID:6184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133076487607126064.txt

Filesize
71KB

MD5
b2a08dfbfad762fa8b0cc837be238401

SHA1
51a4ad8b13f5c593d8da20d4b317666022cadaef

SHA256
7db07e239f25c7a589416a0c10c2cd58ddc5cb67e4397c112b1cae0c324cfab9

SHA512
af1f3631e2b83a0e2f49e9655a0bf52f321cde5fce986eecf98ee715c62150e6b9cffa7253627ec779b2df1fcf4774e3ab4792886fd19c0aba97ec94974cc83c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\B0ESNM48\www.bing[1].xml

Filesize
1KB

MD5
d3435f0a28674b514bbd7ec84e7c9d95

SHA1
3dc57c9137b01765e8d26218dac59f33b84ccd7e

SHA256
c8dbcf5bc4252528592ee6de2c0f7db5615f7586ecf98aa70b3658e8701da07c

SHA512
02234d3394828844c162a9457687a8218e5290aa1edbd11f012f24f1586e0b86cb38af66d89ce27ca4ed5b5cb36e1aa6be17cef4a51b4c5c99c3bfa97a31c71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8561.tmp

Filesize
1KB

MD5
3bff9c4e1982dc263994dda79dc26525

SHA1
9b5308ca8976a15912e86e3dc2d630c789390c15

SHA256
d8d0bad402d18fed8bc818dfc9a4a359c29406009d100d7ee1b11a2881bfb0fa

SHA512
938e18d1acd19e0241fa88d4f9aa678008e6819660aa330e687b01338f4873822e9b3664e1841e656aee62842a91ef340d28e627f9b84cc800b0fa68f36f2d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B0E.tmp

Filesize
1KB

MD5
1c259e0e61040b9bd4bac03726deaa35

SHA1
39f1fd01d0b503ee08ed8d8a466f4421401a15a1

SHA256
d2bcb57cc39851a8fd318d4c9592f5cb956fb4d94fa7b5294f83fa3500656f05

SHA512
3880641066b8aa364a155746c4da432819a8d160af7197781b154f2ef722f021a170c8e21b6c352339acc5cc3df07ff2c0c3c28dd83a73e5f4c492e9f1b51b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.dll

Filesize
4KB

MD5
0ef848e9530dd92f398413047aeee4f3

SHA1
45252a501058a7663420208b1fbfb9e57b9dd119

SHA256
6902d05f6f53f98b97fe559e30a43ceedb62ba7ca8c9d820486420a15cfe431a

SHA512
8597f925bf88d1076558739ddec503d00282076cf5f46395f00aa09b012af383ee06464a63f14ae9a16376646073fb4ac8d45045735c78e8fc27aefa70a624f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.dll

Filesize
6KB

MD5
b3e44825d4b51fed8c3e148eb194b554

SHA1
97732418ae0886fc69a5b6b09ac156627c72813f

SHA256
b3001c6d193ec1af24c0c99c889744911be4cffe0c5d2ca4b3b0f65fea8dfde1

SHA512
d4f4d92828a7ce8fc0739cd26432284e62e3dd2a5c0d33faecf73f4d31414dc862817600b2b259ec4bc34f5679bf73f15493d8cc000dea1b6855f47682c0ef0c

Download Submit
C:\Users\Admin\Desktop\BE4FC4-Readme.txt

Filesize
2KB

MD5
b46b97d5c97c1533c06b1ffbee6b0087

SHA1
b595f449cac2b6b4dc9d5e9ecb3e37cd842e3c13

SHA256
00e8fdd0645912363983c0631de758db9fa57e5a1d468e14ac63e7913417028b

SHA512
401499c409168ea2e8b380dcad84db48680a87183fef3714c143084b1275f8435c90e3df83a2e628459d3540f3be8b13c5c9b0188ebba6c2df61cc093c1bd5ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\CSC260CA674ADD146B69231B4916DD38EC1.TMP

Filesize
652B

MD5
3c4e596af22261bc9b799e43d23a775c

SHA1
5f8fcbd7ef0d1f59300036836d5ed6e56d61f81c

SHA256
b871286443ddb67a3f4ebdf66ffdcd1267aba3036cac81d6bd3e1a431b4a8813

SHA512
e1e2a04b1759b879eb8af37d3e03053b97f581f14f3ce516b981fe5381bedef7d78b642ca9d885fec7b16043c9211500dbd36389e7f717a5f6171b92ebd9bc22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.0.cs

Filesize
2KB

MD5
1cae52936facd4972987d3baef367d8d

SHA1
ad2b4b58d20f290b9da416cef1ef305cf1df6781

SHA256
28b45e56fb27763b4785974e380c96eef1436fc151a802f492db25052392d400

SHA512
4ae36c0ac78177eea5a6e0fbab0f51f7d24c7a76eae75b67eab41fcace921cef256b02fb088e1afb3c445e59598fbea73270e6bca1eda32514221190daa501df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.cmdline

Filesize
369B

MD5
029404c5e599fcbf0eedd69ea3c6ab43

SHA1
cf2222109177af14dfbb9f5739fe8f2025357502

SHA256
a89c086f8b53e309bdf12611ea071838c8162283b7b231be055c4da85591ccb5

SHA512
c499229f0a49f205468ea1dc7e5ed6fe60b3fbb420b86b235b323251104fc95cfcb702bba3d7a5cc0b0841edfc6b4e9506bbf3e10e99bb0a45fca7884d0eb88f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yfocfwtd\CSC9810FA4E5840405B8374A352AEA734CB.TMP

Filesize
652B

MD5
0594c13e862f161d3af22552ca28f4e2

SHA1
bdf19102aec9a4189283f51727a403e18767f3ca

SHA256
7c4e0f8c79c7a51375ef3951eb4f89d9d366f8ed75db0a9c4ac79a6d7026a03f

SHA512
68ee73f3f84fc4a5c303747f658c6d3e0afe53940ae28a59f6e0c3e759d2e3047354e46f3ee886139ec043c73a5448b28b7f35912a3fb542084c1b669722ea02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.0.cs

Filesize
9KB

MD5
64db54f88f46e2ecc57b05a25966da8e

SHA1
488dbbbab872714609ded38db924d38971a3685f

SHA256
e2b586aa1613682b4f1b92f981fea15d0612a3e632bbd73cd7287518c9ed7cb5

SHA512
8791b75874fd7a90bf63742abe6d299bc4370ad910591207d7630901d80765f6f6a4475809f23becf112360403423d0c691744f1024af3dd89c104f2b0b9e729

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.cmdline

Filesize
369B

MD5
2dba910482ee581616b11a4408ecee6c

SHA1
3c9677516dc9916a0abab1a35bc81301ec96b8b7

SHA256
b8a13403f7c891798170310760bdd09ab76170309fc2a423a5cafc649e62e97b

SHA512
e875de0ea3cee3de928aef073de6e3b2e5f227718af44ec397fc37cb400723461232f806099b444324f6fead2b9d5ce7eeca1110aa9b3962b50fee62a7351438

Download Submit
memory/728-137-0x0000000000000000-mapping.dmp

Download
memory/2492-148-0x0000000000D40000-0x0000000000D62000-memory.dmp

Filesize
136KB

Download
memory/2492-150-0x0000000000D40000-0x0000000000D62000-memory.dmp

Filesize
136KB

Download
memory/2676-134-0x0000000000000000-mapping.dmp

Download
memory/4132-132-0x000001DFC06D0000-0x000001DFC06F2000-memory.dmp

Filesize
136KB

Download
memory/4132-149-0x00007FFA44B90000-0x00007FFA45651000-memory.dmp

Filesize
10.8MB

Download
memory/4132-151-0x00007FFA44B90000-0x00007FFA45651000-memory.dmp

Filesize
10.8MB

Download
memory/4132-133-0x00007FFA44B90000-0x00007FFA45651000-memory.dmp

Filesize
10.8MB

Download
memory/4836-141-0x0000000000000000-mapping.dmp

Download
memory/4908-144-0x0000000000000000-mapping.dmp

Download
memory/6184-333-0x0000000000000000-mapping.dmp

Download
memory/6540-172-0x000001678C680000-0x000001678C6A0000-memory.dmp

Filesize
128KB

Download
memory/6540-195-0x000001678C6C0000-0x000001678C6E0000-memory.dmp

Filesize
128KB

Download
memory/6540-163-0x000001678C9D0000-0x000001678CAD0000-memory.dmp

Filesize
1024KB

Download
memory/6540-160-0x000001678C840000-0x000001678C860000-memory.dmp

Filesize
128KB

Download
memory/6540-159-0x000001678BE20000-0x000001678BE28000-memory.dmp

Filesize
32KB

Download
memory/6816-255-0x000001D83ACA0000-0x000001D83ACC0000-memory.dmp

Filesize
128KB

Download
memory/6816-260-0x000001D83A9C0000-0x000001D83A9E0000-memory.dmp

Filesize
128KB

Download
memory/6816-271-0x000001D83A940000-0x000001D83A960000-memory.dmp

Filesize
128KB

Download