netwalker | 991a843a7f99ffd47fbdd9aa486abcfe8c97540248542b8f1fa878760f70a000

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64248d0299618de7464d665ecec906c2_JaffaCakes118.ps1
Size

908KB
MD5

64248d0299618de7464d665ecec906c2
SHA1

163e2607670ee5008ba4d371f0832cbda0743943
SHA256

991a843a7f99ffd47fbdd9aa486abcfe8c97540248542b8f1fa878760f70a000
SHA512

d2eaf1e04177471ce363a5871dd7586f5da6378a1b99d59fa746b9df618813e726e2f5c7c88d1c6abe219070b2bdcba5ffb78065b8fd381af60eb93ffc15c59a
SSDEEP

6144:y/WXp13E8LFVy9KrE0zxiRgvLK9HvsG8todmCn4q/FVv4fTYnGu9TKC8+3Kk:y2rbVvdtqzZdKC8+3Kk

Score

10^/10

netwalker execution ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\MSBuild\B1C597-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .b1c597 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_b1c597: dp/6NPp6bKSGtTXKIC6dddPMBVdoir8ICl7qI/XP+2+AvTYJ6c IYUjTUXZIJQLd5T+Slb9oZBiLtTfu3xLGFPPrSZQ8kn/VuDDvF yHLxi0hQIZD4K27LvpEuBYUusEzZJMkztciCqtdVw6LWHAFocN HYIbUJ3nUqzPpKl9DRg/4wEo+WYA6E/t/TDi1agSYLqud7nxY1 MQggBYYCWTFLRQXnJEaR+OFQIk5iFV6JOBR92/622HQOYcuyc7 JOJZzmGmfKHwaCQ6xeD9ZnZutx/6oXgtdg2p86pA==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (7440) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14710_.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02218_.GIF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143746.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeFax.Dotx	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309904.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIPC.XML	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR98.POC	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\HEADINGBB.POC	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00008_.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00703L.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00095_.WMF	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	Explorer.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Details.accdt	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.dub	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_COL.HXT	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_COL.HXC	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV.HXS	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00445_.WMF	Explorer.EXE
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\B1C597-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XMLSDK5.CHM	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kosrae	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152570.WMF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\jce.jar	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver	Explorer.EXE
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\B1C597-Readme.txt	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	Explorer.EXE
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML	Explorer.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1700	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	powershell.exe
1700	powershell.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeBackupPrivilege	2240	vssvc.exe
Token: SeRestorePrivilege	2240	vssvc.exe
Token: SeAuditPrivilege	2240	vssvc.exe
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeImpersonatePrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2316	1700	powershell.exe	29
PID 1700 wrote to memory of 2316	1700	powershell.exe	29
PID 1700 wrote to memory of 2316	1700	powershell.exe	29
PID 2316 wrote to memory of 2644	2316	csc.exe	30
PID 2316 wrote to memory of 2644	2316	csc.exe	30
PID 2316 wrote to memory of 2644	2316	csc.exe	30
PID 1700 wrote to memory of 2652	1700	powershell.exe	31
PID 1700 wrote to memory of 2652	1700	powershell.exe	31
PID 1700 wrote to memory of 2652	1700	powershell.exe	31
PID 2652 wrote to memory of 2656	2652	csc.exe	32
PID 2652 wrote to memory of 2656	2652	csc.exe	32
PID 2652 wrote to memory of 2656	2652	csc.exe	32
PID 1700 wrote to memory of 1204	1700	powershell.exe	21
PID 1204 wrote to memory of 6592	1204	Explorer.EXE	39
PID 1204 wrote to memory of 6592	1204	Explorer.EXE	39
PID 1204 wrote to memory of 6592	1204	Explorer.EXE	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\64248d0299618de7464d665ecec906c2_JaffaCakes118.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nak2_dds.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2186.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2185.tmp"
      4⤵
      PID:2644
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gp_6oywo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22BE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC22BD.tmp"
      4⤵
      PID:2656
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\B1C597-Readme.txt"
  2⤵
  PID:6592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\B1C597-Readme.txt

Filesize
1KB

MD5
420c0ae4249e69dc75d1885a0b31e6e2

SHA1
8379c387d883352ab24144b043f732eadf8753c2

SHA256
f52dad93365706471f7695e6a3b0e23f931c0e932f0c0218e26534b85a240146

SHA512
244dd51ded68bdcf91e5125c4af2a42c8a8e334f7055c7a64ce85278987985851b3bc06dc5b7bbf7ed766ecbd52f9a332eafc1ea6ada75e179c2a6c0c1f12f79

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_AssetId.H1W.b1c597

Filesize
229KB

MD5
bd05ad6f3fb61a2b77c9f10d9a6e5818

SHA1
709daf413b36e16e2ceb4ff23e47a979f9388785

SHA256
71be2c49689c7d0e39661c0e61418315c8c660582d2fae5190959d03884f6cb3

SHA512
d9e48336249d2e2ce140785c24acfe2fa20810578692aef091bcbd8bcb95753f3e125541bb84f1c92b5bf6b4724a807fe705c0cddf1ff7fe2b4f895a039df57b

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat.b1c597

Filesize
29KB

MD5
a9a632c47ca3c4c26f233d2a8ae3c281

SHA1
8fd6050357e64146fd9040178d6691a9b6976aed

SHA256
30fcf377e27c29d7a919cad4c6104bca382f8328cd2dabf11ab29085ac6b4486

SHA512
e03e84f43c8849d53d5b46d2e4816ad2e418e884682efe4dc79905fa052a7ef0fa220960b3440cc710603e255a902086ab0a93ebd8f7905266f05603b2cd97aa

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000.b1c597

Filesize
506B

MD5
30529fcc852462c5320d4588e45526d5

SHA1
235a2b682fc9fa766a59ba51d15416e58f9e2781

SHA256
1512f14a18cb7a5ead023fd257a5517ea945689542bff3dcddb403d6bb8c319c

SHA512
9cf40a128f8373ba653d45c0788ff7107de22d5695f5e736a548e1aa105852080ace9c1e278ab9bc6d93f930cfc6a819223f2f3d0bef62ed6b3f952895a0e7d2

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000.b1c597

Filesize
506B

MD5
00391c97ac8287d41ea08af43117199b

SHA1
9109dc89b2ff3c1efcdf7991119801d4888bee97

SHA256
7b01450b3f7d9cc466488b8d512551a199b8add12d63f5442c35aabddd3a238f

SHA512
7a8e0f2d3ba9892e99d71eec305c143eb80c1c15d8cb56f54ebeb9f50c69db9418ae0220ef90dcacc25f91635a3b999b5f7f4061e4d54034487871c8ed79ce5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2186.tmp

Filesize
1KB

MD5
1131a43a9e4e2cd7ee006c435cc61a30

SHA1
7e0a0441781b9cc53e6c2efeb068dc1c80dcfdab

SHA256
8791c4ce9265322d5774e397daf60176e0cfdb544cd056ebcd4bae85991cdd7f

SHA512
75f5086c4f5a629857006ca41396ed4baccfa656e81939fe227e4f805db1ac7277f70557fbefb7c284ad52ea7a7c6c172ae21bd9945f1ec237a6688a0a0954a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES22BE.tmp

Filesize
1KB

MD5
41909e0fdc036906626e8636a1998120

SHA1
00f5a2a69efab56811c1438e3102758eb88aa865

SHA256
9e287012782b8d3ab51ba4b80dc0eee15a963d8fdb25e8f229a2ce9bcdca6962

SHA512
e1deb0a0e1e5b28b55410c7efbb37dfe93c4ea1b5fda83dbb4609eeca4ff9cdb6dc98378334ee037ff2158354cbc4b93c3fac64f546116f5e10a05cc3d5dcbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gp_6oywo.dll

Filesize
4KB

MD5
eca3333a9a9c01fe2d238f6a7a56557e

SHA1
193363a70486d8cc26d80eb2f2329da3f570d09f

SHA256
d5e6d96a770c3803f52ed2f36ac2fe001b8b3518578b90d3c1f0bed58a7f559d

SHA512
0061b64a7f3b2ae39b1faa31081775f65283d0d8361d8faec161b5e9766a88776292685136bc696f13bd0b8e505b9b3a71c4f87cf35482d6a6be2e02e7902bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\gp_6oywo.pdb

Filesize
7KB

MD5
229302f2f50d676aeeacc1d9c838e524

SHA1
dc16611f798fd2f0143cefb85e86687dd2fc5349

SHA256
7c0301e6a070e04880ff4dc54878dc34c093d9f9103431036bae27cef03c40d3

SHA512
2a36b2b54c39e8bfd99839afe1412ccf42a62860560de2f1869e08731937f5fb6a5eb81910fdf97079076e909767c815df5eadbd1010b2c053e77a6f1ed6e8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nak2_dds.dll

Filesize
6KB

MD5
4272387deb3bc7c137b7cce7b945ff6e

SHA1
ad94a490778452dc9d23fe392662aa6968f6dc1c

SHA256
1dc852ea28376dac1943e0a1f2ef9d14fcc3701a31c7466c125ba9c3932a9283

SHA512
e193694c6236287b4ea49f0b5ea311c3beb709c871c37165170f5160fc61cd6c32d3199f03a052c516cc4b279be50f54cbf6a4e566ea579fa800ac60f2d609a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nak2_dds.pdb

Filesize
7KB

MD5
81739eef769c2050b8188d1ec0c614ad

SHA1
871233a7ab39397122c58bcf7fe29b3bb1f160d5

SHA256
64b959eea63b70e5f700a621bacfda3ad89bf92dc1a0ae5e69185346f1fb5100

SHA512
9f2153c275a98349924a3cf79098901bd77e25bc80f3dee9114f6d1da2ce8f772afe3fc20b9e3f14c9c4dd1e7609cae744b382f6da0f22a7276e7552f7372fca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2185.tmp

Filesize
652B

MD5
9a8bba58c3fd4b4a8dd2f0764f6da07c

SHA1
974d2940cf26ab3a3a29bc0d7e3926ac361771b4

SHA256
13243d09a17affbbd0b7bed9eae103f9de41f2dca17c692303b498f8eb4ba222

SHA512
b3627cec42c057348fb0ac97da56167e8f2b9c496f77a66e90b111c09737732bafe2f7d052cc66890cfb84ae0754cbb512d5d694f84a6902c0e79f5ed24732f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC22BD.tmp

Filesize
652B

MD5
277470479875719edc0fb525095b3807

SHA1
f2472a96aa88b83b3d5e4d1749f9aed4672a8bd9

SHA256
a09de55a09ba3a50d430ff4689a52dbfadf0bc6daa5915411dbe2e1c9b1fe6f5

SHA512
7304304c20bf62afe8ef229d531a7320292586cb80402b6a4a858ef128cac067e9c37391a33f80147155c26ba18fd05591fd8b3e006ba8fa60c7a69ae6cfa442

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gp_6oywo.0.cs

Filesize
2KB

MD5
d491bc3537450532785880e98f087e97

SHA1
bf5a817e3776cff4554c03206159c54717ca09f2

SHA256
7e7bd87416a61d72128f5c5bdeb3b3054631393d22acfd84bc0a351e4cc6b491

SHA512
ebbd7f91049304640f30697cadea49eb8f69a26dc1581dc2e58fbf16421769ed5df67b4fe4bfc1dd6c58367adea0449c52aa26c0286e7ab153c6571b7fd59856

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gp_6oywo.cmdline

Filesize
309B

MD5
f1d102da0d528a9b646adbba80167e27

SHA1
34e9f4a75de400369f25e8a397dcb181f748a960

SHA256
fb091e8a9c0619f4c79ca2fb8b2ca138286761934a5d4d173d75fca63da3250c

SHA512
986f041f95bd013e0c4ebed1804b95bb663c9a9f3e5c7346b07d6d5e5b31889837cacbe520c33e779034bfcf32bfc5e1f6836e3561742e277ef6b015b111abed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nak2_dds.0.cs

Filesize
9KB

MD5
77db487c078b0fa51e7fcace9b258cf1

SHA1
f73dc69329586dd07c5f4e273c03ee9164dc4936

SHA256
20a335545d41bad6dd654205fe7e8e38c807634307edc4463661f172d8b575de

SHA512
471f92bfb9a32090fa925e4cea14b218a290560e27ec5726ae65b8999293eaf3bb0f7b1b45595076a93d1406d00a5b61a1aa0c2b79294f355ef6df0f25f36cac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nak2_dds.cmdline

Filesize
309B

MD5
3727bb9442447a5450bd199cd06179a4

SHA1
92091dca993ec7b71aadb62d1694e79d3c877998

SHA256
2d2ac9c47c79053a02ffae2c17b26474a8d1204abe5d035b2ab7b32782935da7

SHA512
55fadaead93bb589f7663c75ca1db84635749f37ed32bcd3df9532e69d6b9c15a02b0d5c90f997d1aed0b5bb5c2e37dd227d81485e450aadcae4ef9378f22e17

Download Submit
memory/1204-99-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-88-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-108-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-109-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-110-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-111-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-100-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-105-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-106-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-107-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-101-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-102-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-103-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-104-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-56-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-57-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-71-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-64-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-63-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-65-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-70-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-69-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-68-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-67-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-66-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-72-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-97-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-96-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-95-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-94-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-93-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-92-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-91-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-90-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-89-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-73-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-87-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-86-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-85-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-84-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-83-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-82-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-81-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-80-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-78-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-77-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-76-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-75-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1204-74-0x0000000002ED0000-0x0000000002EF2000-memory.dmp

Filesize
136KB

Download
memory/1700-10-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/1700-7-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/1700-61-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/1700-47-0x0000000002100000-0x0000000002122000-memory.dmp

Filesize
136KB

Download
memory/1700-48-0x0000000002100000-0x0000000002122000-memory.dmp

Filesize
136KB

Download
memory/1700-50-0x0000000002100000-0x0000000002122000-memory.dmp

Filesize
136KB

Download
memory/1700-51-0x0000000002100000-0x0000000002122000-memory.dmp

Filesize
136KB

Download
memory/1700-27-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/1700-5-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1700-4-0x000007FEF5BFE000-0x000007FEF5BFF000-memory.dmp

Filesize
4KB

Download
memory/1700-52-0x0000000002100000-0x0000000002122000-memory.dmp

Filesize
136KB

Download
memory/1700-11-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/1700-43-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/1700-49-0x0000000002100000-0x0000000002122000-memory.dmp

Filesize
136KB

Download
memory/1700-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/1700-9-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/1700-8-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/1700-46-0x0000000002100000-0x0000000002122000-memory.dmp

Filesize
136KB

Download
memory/2316-25-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download
memory/2316-20-0x000007FEF5940000-0x000007FEF62DD000-memory.dmp

Filesize
9.6MB

Download