netwalker | 197390ed197b649aba275ca233a210c21ec03323df2aa5a445db47bee13b619c

Analysis

max time kernel
104s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118.ps1
Size

904KB
MD5

dea68bfdc6efd19c1dc933d61f115a33
SHA1

18b45cf13c0f34b572dc99c95af2261c5333cbd5
SHA256

197390ed197b649aba275ca233a210c21ec03323df2aa5a445db47bee13b619c
SHA512

7baf099cc2394499744db0aa9bc18ebb6a77ff5d9784c520a985df074f9ea79527f14ac793d46acb8e091270e342087e2eae25daf700a7e36d86ba7c20344b93
SSDEEP

12288:V6AqPKqTq1cMlDjuEyTuCJwhEVg+82QvwyhXf3VZsH8p1dA3OIohPkKwbsWyBYsM:A

Score

10^/10

netwalker execution ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\719095-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .719095 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_719095: jzJFnkHbZCLDPq7NRMbm0KUXgpRJhPo1ouhO6xZPDeJ6InXA5x U68FcofIO9C5KQD05SMc3APNGzHevUPr8ffhfPu1iXFNVa+Uim VgqAbPI1i98pDc/x2XuGlCxsJaKFvdGYuVt45coz1o5Wraapys DqWiYwPtEAjEY8HVJg+1MepLdPsMdaBLCkGXLPkBrH3u0obhT7 tr/vNB4Ufat/Xw84DSiQqqnG2nvLPBnnXh5TKhNFyXRPEeHO0p +uKY/aFhI/5fl0geKHMXR/41hud+69M8JTEN8bDQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (6802) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\719095-Readme.txt	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\719095-Readme.txt	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-200_contrast-white.png	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\719095-Readme.txt	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-LTR.gif	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELM	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\MilitaryRight.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase.Component.winmd	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-unplated.png	powershell.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\jvm.lib	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-125.png	powershell.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pt-BR.pak	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxManifest.xml	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\719095-Readme.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms	powershell.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\719095-Readme.txt	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-200.png	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-white.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\719095-Readme.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-125.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag_retina.png	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\719095-Readme.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_altform-unplated_contrast-white.png	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\719095-Readme.txt	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-256_contrast-white.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-100.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-64.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-white.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\29.jpg	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_altform-unplated_contrast-white.png	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.js	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3556	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeImpersonatePrivilege	3556	powershell.exe
Token: SeBackupPrivilege	6464	vssvc.exe
Token: SeRestorePrivilege	6464	vssvc.exe
Token: SeAuditPrivilege	6464	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 4560	3556	powershell.exe	84
PID 3556 wrote to memory of 4560	3556	powershell.exe	84
PID 4560 wrote to memory of 5076	4560	csc.exe	87
PID 4560 wrote to memory of 5076	4560	csc.exe	87
PID 3556 wrote to memory of 4044	3556	powershell.exe	88
PID 3556 wrote to memory of 4044	3556	powershell.exe	88
PID 4044 wrote to memory of 232	4044	csc.exe	90
PID 4044 wrote to memory of 232	4044	csc.exe	90
PID 3556 wrote to memory of 6188	3556	powershell.exe	101
PID 3556 wrote to memory of 6188	3556	powershell.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118.ps1
1⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awnpczmu\awnpczmu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F25.tmp" "c:\Users\Admin\AppData\Local\Temp\awnpczmu\CSCB01A3A4B2E2740BFAD641B4F2A7F8CFD.TMP"
    3⤵
    PID:5076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wwyng2aw\wwyng2aw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F73.tmp" "c:\Users\Admin\AppData\Local\Temp\wwyng2aw\CSCA2C1A4CFACD64042BC75E1157598562E.TMP"
    3⤵
    PID:232
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\719095-Readme.txt"
  2⤵
  PID:6188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\719095-Readme.txt

Filesize
1KB

MD5
55694d38b5bb27dc4e06c1de9c8a8c8d

SHA1
b97c0d82f5de4dc3d6f5b44fa60dd3653889f058

SHA256
effa111e82e6c42be23e83559ddbe01c319482ec7f21066b8747e358898d283c

SHA512
8b3ab074288d21329ad5e64678a2ec9d216cc30f2b9ae698bd4b4d77f6d62f6a5a447f96be7a86a4b7377784bfa94e756672035b47ee33e55abef340cab29602

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
9d872a2aec68de5bf13c1ab232bb0316

SHA1
c756c1b63bc283abc8c2ceee8fffc28e3384cb30

SHA256
f8b5a3cf2309f1ff5fd7542d883a2f1e7193bef8e403b56dbf95992c80bb2f2b

SHA512
4962e38db369dc6ebe5efead402a929c4f923dbdcac53cb3f7c9da988aa904a3a51e573c612cfd161d84a12fec6de831db135f3d877fc4ad9838d9ebb4aa22d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6F25.tmp

Filesize
1KB

MD5
a6ce0e0ff3f855edaa0a18987c3e44c0

SHA1
871d15c70c3b3d6edcc3e12b1b105bd194bdbbfc

SHA256
a286d2775958be4567f6662e04c7ab5659a3be6561d0ca3fcc5e2d1d2d97f936

SHA512
ac1e934d06e8ffd392444d9ba3280f2e5b0c277dc26e086c4a87831bc786f8d38909e242de837d156791d6aa7db1a9daf7e35fc182a07ee35ba66c604da45f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6F73.tmp

Filesize
1KB

MD5
09727b17d92abc320c1800225a96726a

SHA1
7c5c21e61ded34173dc4255932cfee48f7ae5b78

SHA256
afaa02c2277ead3b33041a94de525f259a444fe16e4c7946894eb984f9516611

SHA512
41f7f89aff2c62cf7444eed2b2e81016207401267a61c47bc07855e450e95e9d6afec44f20e7fdd6c23e9e92b0209c0b688985b36ed58575360f572aca3b73d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rbconqed.pjf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\awnpczmu\awnpczmu.dll

Filesize
6KB

MD5
27aeb815cdded7c366f9164af6caeaf7

SHA1
0032df40f6f41c61689c696a4c9f7496ee64cd5c

SHA256
f7694b9231e9c6de56d1a80bb00ae937be5c7d8df2dad5d342b627c6475abf03

SHA512
6d119db48a9fddc16dbf25743b1041ada34dc2abb3e01de6650db3d31b3b5579a7d229189a1268e9e7b6fa191ea063d3dcc75a58ff28d6c0d5c2cc39de9da71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwyng2aw\wwyng2aw.dll

Filesize
4KB

MD5
82a5a394f178ab9094128134394e806b

SHA1
64492a4a8974040c60ede81ba0fd317babe91c4f

SHA256
d0ccc9f634163aca9aff0773df0a7f7e8be32a87d605e7d73ce3cd3f75d2d0f3

SHA512
8583925c418122f9ff4fa6ed56ebc4cddf1a15762779e90df503ab15db150bdafac0922f19aeab81b2e224b6336aef49808f69247c681e3610f05db998ac1d07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awnpczmu\CSCB01A3A4B2E2740BFAD641B4F2A7F8CFD.TMP

Filesize
652B

MD5
590ece9ab8e641cd5a73388ca5f4f558

SHA1
42d74138bed9de079d605cf9a5e8bddd16039846

SHA256
b44726e196791fb12ad6847c3e1c29c76d5e954bf22c86c0b88415579e988b4c

SHA512
a1b34199edd5cfe486f95aa52152ad1e3e383ae1f0243f875b602b8349f3ceabad3e4b376ecd85427c8f67359a047fa9a316cbcc6ae79b21f1037f7888feae77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awnpczmu\awnpczmu.0.cs

Filesize
8KB

MD5
d5c00611ebcab33ffe4fc0f571f14b46

SHA1
cea0b42714d5e88cc7441b1cca1c6c4dc3626e83

SHA256
b04adeb7a2519d2ede2849c84bb6516e4471154caa1eaace60cf57f58cbab47e

SHA512
77782080e1ee91ffed3088a52ab236dfd06d9a9269f9df9a1575594862bbea5e9dab3f797b4ed862bb52026f253574a6483da82281f5e1fd9c25b84773b54926

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awnpczmu\awnpczmu.cmdline

Filesize
369B

MD5
1a6fb1f990242d9f4de9fe91022b251c

SHA1
09761a225891a18ef70a89ee2f01f37cc567e682

SHA256
efd204b3a9047f7b841bbd2e2509069fd65f37df82ca5b109c3e1f0c3c80f009

SHA512
cf0b780b23ff890aa31c3e3e20ca2e4b524cf6816fcda1ea730439f0d785fbb5359bb97f38dac5f1a5f102ec5746152963fc26df17f8b1a8a11e65dc585e6f09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wwyng2aw\CSCA2C1A4CFACD64042BC75E1157598562E.TMP

Filesize
652B

MD5
2b322e16352728d73b6aab410a4849a3

SHA1
e485fe7372998a8a22caf30030201fe3b9a9ad01

SHA256
09a66912deca78a63539f3f3c3b701ba34662bfb77d926b3e068ccbd626b10cf

SHA512
d76829a27339bf4021520d4f7d3d14761ffb3e41c64ed593b26edcc60790ffc73645a56db5c6905cebe5e4962181cd04a81c2993ab9ce4dfff1658f21d66bfef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wwyng2aw\wwyng2aw.0.cs

Filesize
1KB

MD5
c6165496f076b4dc9c829317274a7e09

SHA1
0b2e56f84dc5d57a189d8079eeb761b8b91c96c0

SHA256
661a347736b792bfe0810528af624db0968e0ba6f31d2daa2a6645fbe6749ce4

SHA512
57499e49c60aa17e9eb0bbd0828973881c1b405ef7459c2618785e1fc28495544f9e9e7dcbbf75982f30e2a8af1f8e66b14ec85d87a88ae8fec6f0024553f9f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wwyng2aw\wwyng2aw.cmdline

Filesize
369B

MD5
d86c500378518f648241b031a2c30737

SHA1
6d07d48190b87f108f9805f38c2b4f2242492276

SHA256
c9f167c8d99a6c695167b1b43824ab6b90f3e1d26dc4c37a2f81fb82db04cbb7

SHA512
8dbeddd09e4129fc2a17d04bdb978fd59725e5d7f007bf246cc431cae90ea48c3c8626b2e8fbede1e95e8828f697707f6e9d24c758e4e00ea02928129edec6cd

Download Submit
memory/3556-67-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-59-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-14-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/3556-27-0x000001A86AC60000-0x000001A86AC68000-memory.dmp

Filesize
32KB

Download
memory/3556-41-0x000001A86BA70000-0x000001A86BA78000-memory.dmp

Filesize
32KB

Download
memory/3556-12-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/3556-43-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-44-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-48-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/3556-49-0x00007FFD1AAC3000-0x00007FFD1AAC5000-memory.dmp

Filesize
8KB

Download
memory/3556-51-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-50-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-53-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-55-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-56-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-79-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-78-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-77-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-76-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-75-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-74-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-73-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-72-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-71-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-70-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-69-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-68-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-11-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/3556-66-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-65-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-64-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-80-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-62-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-61-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-60-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-13-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download
memory/3556-58-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-57-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-63-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-54-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-52-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-88-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-86-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-107-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-106-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-105-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-104-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-103-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-102-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-101-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-100-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-99-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-98-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-97-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-96-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-95-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-94-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-93-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-92-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-91-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-89-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-85-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-84-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-83-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-108-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-90-0x000001A86BAB0000-0x000001A86BAD2000-memory.dmp

Filesize
136KB

Download
memory/3556-1-0x000001A86AC70000-0x000001A86AC92000-memory.dmp

Filesize
136KB

Download
memory/3556-0-0x00007FFD1AAC3000-0x00007FFD1AAC5000-memory.dmp

Filesize
8KB

Download
memory/3556-22390-0x00007FFD1AAC0000-0x00007FFD1B581000-memory.dmp

Filesize
10.8MB

Download