netwalker | d0bcef569548210cf0d2f1ade88c6f92d48fb4b1ce7d3bfb21987ca796c6465d

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef2a52b9b2457045fefc4d5374b73261_JaffaCakes118.ps1
Size

904KB
MD5

ef2a52b9b2457045fefc4d5374b73261
SHA1

ef3714bf11b603f0f3b8be77d84b98930970b77c
SHA256

d0bcef569548210cf0d2f1ade88c6f92d48fb4b1ce7d3bfb21987ca796c6465d
SHA512

b9427d73b9edcf5f140816dc615884eff76351c19cb0ffa5860e382599589a7e33a50f22165169790f2621f2e40e4f0d072464e639a1f43503f0d0888ad39b46
SSDEEP

12288:sOCK75efghgLg/GDL6LOLL7LkXx4OKqWLLLivLYLLL8LxL5x:l

Score

10^/10

netwalker execution ransomware

Malware Config

Extracted

Path

C:\Program Files\Microsoft Office\77D69D-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .77d69d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_77d69d: ao7Z5GXy6CtE2a+SU4/6C2lH6YuSeu/FI3lLaA4t/PCs71ULvR Mk7IW3gyfyM9ZcLm4z6+Rt4B3hPrXFYP0WlO+SP+CDz7NGjQc1 +Bq/Ebz2UcH1n10q1dEpA9auVvq5zjtacZmSJofpSHekXQjwFe zyi3KXL1ajuL0/RWyjbze8HgVrvOA/zUkxsMyHH5HWX4R9Y7l9 YDly7nP1pe7vZSRKGF26T9QF0owobAttJfMJvHSZEvUMC+J+/9 4nyf9ZSjJUfqoENV44A3zUiuVuUuCO8ktx5SzeTQ==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Renames multiple (6786) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-125.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE	powershell.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\77D69D-Readme.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-2x.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png	powershell.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\es-419.pak	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\77D69D-Readme.txt	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ExploreButtonGradientLight.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-white.png	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-down_32.svg	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-400.png	powershell.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.winmd	powershell.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-400.png	powershell.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Other.DATA	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40.png	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest	powershell.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_tr_135x40.svg	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256.png	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-72.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-125.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-125.png	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-48.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-100.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\40.jpg	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\77D69D-Readme.txt	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\77D69D-Readme.txt	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELM	powershell.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\77D69D-Readme.txt	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-30_altform-unplated.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-125.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	powershell.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\77D69D-Readme.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\AppStore_icon.svg	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_altform-unplated_contrast-high.png	powershell.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125_contrast-black.png	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.ELM	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1068	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeImpersonatePrivilege	1068	powershell.exe
Token: SeBackupPrivilege	8472	vssvc.exe
Token: SeRestorePrivilege	8472	vssvc.exe
Token: SeAuditPrivilege	8472	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2964	1068	powershell.exe	83
PID 1068 wrote to memory of 2964	1068	powershell.exe	83
PID 2964 wrote to memory of 1872	2964	csc.exe	84
PID 2964 wrote to memory of 1872	2964	csc.exe	84
PID 1068 wrote to memory of 1592	1068	powershell.exe	85
PID 1068 wrote to memory of 1592	1068	powershell.exe	85
PID 1592 wrote to memory of 1464	1592	csc.exe	86
PID 1592 wrote to memory of 1464	1592	csc.exe	86
PID 1068 wrote to memory of 5864	1068	powershell.exe	97
PID 1068 wrote to memory of 5864	1068	powershell.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ef2a52b9b2457045fefc4d5374b73261_JaffaCakes118.ps1
1⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oipcnkss\oipcnkss.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB853.tmp" "c:\Users\Admin\AppData\Local\Temp\oipcnkss\CSCD1F5FCFBA3CA4CC19D4D244A94848FA.TMP"
    3⤵
    PID:1872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fqldaft4\fqldaft4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8A1.tmp" "c:\Users\Admin\AppData\Local\Temp\fqldaft4\CSCC4A36703DC9D4E34B08877A729C9E766.TMP"
    3⤵
    PID:1464
- C:\Windows\system32\notepad.exe
  C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\77D69D-Readme.txt"
  2⤵
  PID:5864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\77D69D-Readme.txt

Filesize
1KB

MD5
a3d136b39ce28b89bafa2ea1f625508f

SHA1
e77d31bfe36a5d2500d1f2f2bf1ddb4272430721

SHA256
238908c1f706310564f84e65e6ddc779d67cc38cb70b178a2a4adb34e55fb751

SHA512
b25c377a591ea358d7f45ee9de10dc7b6eb37211719fe6c8d67379abc057e78a3cbf1b55517e58d4dce98c4673f599fd25d245daa5ba7dfbc8db9ee44160150e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml.77d69d

Filesize
2KB

MD5
fbc337163f8ebeaea50735cb4d968b72

SHA1
3b0906d7afd677bbe8be28c23cd5b0dc6c9e2fb2

SHA256
e6615b8bf5c35ffc04fe0565917c6f77fee68442d41d19df3557c541a555e889

SHA512
320ede48033bba2e850ff2db6f77f52bbe2145ee9c3edd087be67cc8b1c86e82c9680df9ae23b24fcfe2c2b1729f3989c14ed49c152c2648744ecbfcaac5b77c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
67c2b4823d7f9e57907e22071a81803c

SHA1
9ce16289ceaeb0f6e4ad5a24518206da889b1df3

SHA256
c14f0363691b2786d5f1fcd0237608003175da404089c8c8f6f7adf813db303c

SHA512
b94b0f7de479dc05703344210047127584131996baf9fa2f53d9bcd80de835fc6383401d4f7dc9869f85812efe5e01881f4dab4607f2c814d2f3393ccffe95d5

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A64CD22E-7976-4E35-AF61-1C7DBC1F5743\x-none.16\MasterDescriptor.x-none.xml.77d69d

Filesize
27KB

MD5
5a7f65aee7d294db0a942cdccdcbe48a

SHA1
c181091f74743ea04f71bafb86d34aaa8ca96176

SHA256
f19f474e4fc478ea4f4d99d70c281b9751accf7f8b75c802c2a1c5ad7b996b1e

SHA512
257e9ba4108c1006ce8045f4dec407c34f2e1696ff58632ce0241f4b09f10609afea5aafbca6c00b6b4abe19400a034178a91ff5b8c37da20ba04d7420c28a1d

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edb.chk.77d69d

Filesize
8KB

MD5
887f2b37098f43fae126b9adcaed7d17

SHA1
3882eb570268389c9f49cc26606d3b639e641d3f

SHA256
fdb016799c535b40741601a1fa487cd88142c48f10dacc45cb88d40710112eda

SHA512
2acac0961e5a934c5da41333992845276294315e7ab21641d15c215177f1f3def1247b10f0e99e7ae77cf0e1532d457caebfd252b6603f3cfa3088b85ab3afba

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml.77d69d

Filesize
3KB

MD5
1401679b9604eb591816e3812e2681d1

SHA1
19fcd33665b9c557270ecb2ee65aa909c8934cfd

SHA256
4c2cb06aeba00d762a25740fb7cddff10aad379b11227cb6438347afd61cb778

SHA512
db4e37977484d6d27ddf3dfbdf1645f91d4d553b73b1ce874e14f639e9a257ca965b69fc4c36504bea60cc489cde05f2c756a65967a304128e3e295c2a771f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB853.tmp

Filesize
1KB

MD5
0ccbef311fa1c7f19db83d8ca36e7ae1

SHA1
54af95d5052472c54a98eeda23d53411e82daa66

SHA256
40e4f4d479fb98e4f0e8b099feeabcde71c5d6a2f7cb79f9b6e967728538fcd0

SHA512
e0a7de95cd974a45086d023d336cd4a0ba5afb9f194583ee80e41ce3700fb0fcab3a00451842a70f4fee683c48390a53ca820bfd35f9350d5c82fe9b6d7259e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8A1.tmp

Filesize
1KB

MD5
e45181dda9d08f9cdd5673c1d11524ce

SHA1
52aa62080f4c349bc9ac61b610effe6e44c87d4a

SHA256
016e7e774936d1d79bee06638ac923f2ccd2b0cac41732a208c7c531ea86baf7

SHA512
c873654daaea49017b9009e6aa90fe63719dd8c65896f0000c0d7561ec4bffa3f19dd7e627686ad36954dc7fca1cca2e216a702f9a63aaded108f8cc78182057

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iunzei4m.kgf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqldaft4\fqldaft4.dll

Filesize
4KB

MD5
7acabe204b250c52bcc2cd148fc76213

SHA1
ddf5192d439cc3531e4243985a0a941f6610a3d9

SHA256
7bc838c3799f988d95f13ec8f6e3038e254d6d71096dbf06f98f269aa99a4dc8

SHA512
ca71fbf195c47ac06161bc53faf66a9e22e0b6660c5d8a23c56b55e043dd9a76ff30f5c77464c335d86ce1123e0962df5fa7cea0e5602c2bdedee8f99b057896

Download Submit
C:\Users\Admin\AppData\Local\Temp\oipcnkss\oipcnkss.dll

Filesize
6KB

MD5
e73069c4212c06d75cfac13bb12f377c

SHA1
6dde88f6923a6cf66cab6c2c28261a96a18521ca

SHA256
c905883b062800ba99053d0a181eb03b6344cfc5d9b5e1e4ea50faba5d6eeadb

SHA512
888a907df3176d86bdc97650105645890a636fad8aec2c2d8019a6de68a1d6d0101a326208a461adb0c0e6bd499793c3c8294959da4cbf95df0ed05a11ef18e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fqldaft4\CSCC4A36703DC9D4E34B08877A729C9E766.TMP

Filesize
652B

MD5
b0959788aabc9e9aeb4225e528a28655

SHA1
fd1659e4380d12f7d80fbee599c542f0f62d51d8

SHA256
95b845ffaf36479952785fe2a5b78010c1ed1800de86c7fcc386dbc8a716fd38

SHA512
80d594af4568587c2326ac8659308913e11e0803fcaf7b46f61d50cd618271fef16599b6e838951f929c470e96722951673cdb34f2205cf4dee1dc462e14796e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fqldaft4\fqldaft4.0.cs

Filesize
2KB

MD5
c893ff54420a206c4206af5107a02bbb

SHA1
8a90c410a55d545e71425c061973d566a52e1465

SHA256
efd3d07c27b013c8b5924d1ec0e58ed4315c38f8261169931f464de78ccf9b21

SHA512
8f9c695560994c9db400661ef183328559379c6d722527f9d01ae181dbc6a01984ac007d485cf029ed1be1990a36966d8c6b840623e851fd3a0a32ba7c447c27

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fqldaft4\fqldaft4.cmdline

Filesize
369B

MD5
d5c69104c6d0fd577bd906769461bc16

SHA1
35a3ad85065def82005d049d47a8378fe7b6c0de

SHA256
e591b6239305db6ac87368f43f7267e7c7313d9d560d91ed1d79511f61a21919

SHA512
6b9b957fe6b95de00cff27bbf3134ada6c8af1841928d3b2c27c87ec87597cd97814475818758a70e6508fb31df738e3d3084cfa446ea825341bd3dc18899133

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oipcnkss\CSCD1F5FCFBA3CA4CC19D4D244A94848FA.TMP

Filesize
652B

MD5
97d26e8bead4d5b7a18301416c09e01c

SHA1
650b38bc074f628d248b0d687fe3663a72532840

SHA256
ed3b1504b764001fd3a4c7b275f0fee2c3eaea958f1c424b402803b21ca1c4f7

SHA512
c38696aa2455c553414a468ff27819e45e1e25ac22727311dcd7e14a8e3d5b45fb355714e5976269b4f8a4f9d67997cfbd05272d588b1b55a6db7d3ecbd104bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oipcnkss\oipcnkss.0.cs

Filesize
9KB

MD5
02a0899f755d28aa8ca5b6dbf9d79db8

SHA1
5cbb31d741541eb9a6ffff3b5ea404fd462d4d12

SHA256
c789d50f8fd9714067788f5f35199ac13157da910695570b7662beca2750d00b

SHA512
2d1dfaac2440f630bb391e3b3fe4bfccd4c91dfb6d6382201b8a14c419d89ac97ef52ad0a40490ee50879dd08e14cfd7a760978bd4921e1ac849877d84b5bcdb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oipcnkss\oipcnkss.cmdline

Filesize
369B

MD5
b5ee11702b7cafa4ed7d55f8a5824130

SHA1
e935e382f1f5386ac62094c701cde784e178c41d

SHA256
30a266577da4627d62732ebc256a90201a4e011ab6f46c69fb2809d80161af05

SHA512
3797c428a5534859edf7b76f72559fe6b18ef789a68c053ba422fc5f32c58fdde8e75799666b6129c3026db59383b075a8372aa7845ce86d0b32d6fc34d39bec

Download Submit
memory/1068-94-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-86-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-43-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-44-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-48-0x00007FF8A7AD3000-0x00007FF8A7AD5000-memory.dmp

Filesize
8KB

Download
memory/1068-49-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/1068-51-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-50-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-52-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-55-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-79-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-82-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-108-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-107-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-106-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-105-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-27-0x00000275D6C30000-0x00000275D6C38000-memory.dmp

Filesize
32KB

Download
memory/1068-104-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-103-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-102-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-101-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-100-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-99-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-98-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-97-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-96-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-95-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-14-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/1068-93-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-92-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-91-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-90-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-89-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-88-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-87-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-41-0x00000275D8EF0000-0x00000275D8EF8000-memory.dmp

Filesize
32KB

Download
memory/1068-85-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-84-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-81-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-80-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-78-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-77-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-76-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-75-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-74-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-73-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-72-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-71-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-70-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-69-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-68-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-67-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-65-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-64-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-63-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-62-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-61-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-60-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-59-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-58-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-57-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-56-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-66-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-54-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-53-0x00000275D9180000-0x00000275D91A2000-memory.dmp

Filesize
136KB

Download
memory/1068-13-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/1068-12-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/1068-7-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/1068-1-0x00000275D6C00000-0x00000275D6C22000-memory.dmp

Filesize
136KB

Download
memory/1068-0-0x00007FF8A7AD3000-0x00007FF8A7AD5000-memory.dmp

Filesize
8KB

Download
memory/1068-24414-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download